Ultimate Membership Pro < 8.6.1 – Multiple Critical Vulnerabilities

Feb 6, 2020 | Security - Internet, WordPress, and otherwise

ultimate-membership-pro-8-6-1-multiple-critical-vulnerabilities Ultimate Membership Pro < 8.6.1 – Multiple Critical Vulnerabilities
Description
Multiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Unauthenticated Remote Code Execution on default Installation, as well as PII disclosure. Edit (WPScanTeam): February 3rd, 2020 - Report Received & Envato Contacted February 4th, 2020 - Envato Investigating February 4th, 2020 - v8.6.1 released, devs reply (via Envato): "What that user mentions is kindly related to an old plugin version, as was found on the demo website too. It seems actually he has no access to the item in order to download latest updates and probably is about an old nulled version downloaded somewhere out of the market. Still, with this occasion, we've made several changes in that direction as extra protection and have been uploaded on the marketplace." We were unable to fully verify the RCE claims, however one of the file generated by the plugin via an affected method was found to be publicly accessible (confirmed to be on the demo before they updated to the 8.6.1, as well as a few other blogs having the plugin), and containing PII such as emails, IP addresses, hashed passwords, usernames, User-Agent and so on. If you are a user of the plugin, please contact us to help us verify whether or not the issues have been properly remediated.

Source

eHost managed wordpress hosting



We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:

SHARE IT HERE:

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.