Ultimate Member 2.6.7 Fixes Privilege Escalation Vulnerability

Title: Ultimate Member Plugin Releases Patch for Privilege Escalation Vulnerability


The Ultimate Member plugin, a popular WordPress plugin used for user management, recently released version 2.6.7 with a patch for a privilege escalation vulnerability. This vulnerability had been reported by WPScan, who discovered that the plugin had not fully patched the issue after multiple attempts. It was also found that the vulnerability was actively being exploited in the wild. In this article, we will delve into the details of the vulnerability and the steps taken by Ultimate Member to address it.

Understanding the Vulnerability:

WPScan researcher Marc Montpas identified an issue with the meta key field in the usermeta table, which used accent insensitive collations. This resulted in queries for certain meta keys returning incorrect results, potentially leading to privilege escalation. The vulnerability made it challenging to fully patch the issue, as it allowed attackers to exploit the plugin’s functionality.

Ultimate Member’s Response:

To address the vulnerability, Ultimate Member released version 2.6.7 on July 1, 2023. This update includes a whitelist for metakeys, ensuring that only authorized keys are stored while sending forms. Additionally, the plugin now separates form settings data and submitted data, operating them in two different variables. These changes may impact third-party developers who have customized the plugin and require them to update their customizations accordingly.

Recommendations for Users:

Ultimate Member advises all users to review and delete any unknown administrator accounts, reset all user passwords (including the admin), enable SSL and backups, and inform site members and customers about the incident. While the plugin’s developers are working on a feature that will allow website admins to reset passwords for all users, it is still being finalized. This precautionary measure is crucial to ensure the best protection for website users’ passwords.

Updating to Version 2.6.7:

It is essential for all Ultimate Member users to update to the latest available version, 2.6.7, which includes the patch for the privilege escalation vulnerability. The developers are actively seeking feedback from WPScan and evaluating all their extensions to ensure their security. By updating to the latest version, users can mitigate the risk of potential attacks and safeguard their websites.


The release of Ultimate Member plugin version 2.6.7 with a patch for the privilege escalation vulnerability is a significant step towards enhancing the security of WordPress websites. The vulnerability, which had been actively exploited in the wild, posed a serious threat to user data and website integrity. By promptly addressing the issue and providing clear instructions for users, Ultimate Member has demonstrated its commitment to ensuring the safety of its users’ websites. It is crucial for all Ultimate Member users to update to version 2.6.7 and follow the recommended security measures to protect their websites from potential attacks.

Stay in Touch


Related Articles