Multiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Unauthenticated Remote Code Execution on default Installation, as well as PII disclosure. Edit (WPScanTeam): February 3rd, 2020 - Report Received & Envato Contacted February 4th, 2020 - Envato Investigating February 4th, 2020 - v8.6.1 released, devs reply (via Envato): "What that user mentions is kindly related to an old plugin version, as was found on the demo website too. It seems actually he has no access to the item in order to download latest updates and probably is about an old nulled version downloaded somewhere out of the market. Still, with this occasion, we've made several changes in that direction as extra protection and have been uploaded on the marketplace." We were unable to fully verify the RCE claims, however one of the file generated by the plugin via an affected method was found to be publicly accessible (confirmed to be on the demo before they updated to the 8.6.1, as well as a few other blogs having the plugin), and containing PII such as emails, IP addresses, hashed passwords, usernames, User-Agent and so on. If you are a user of the plugin, please contact us to help us verify whether or not the issues have been properly remediated.