The team at Wordfence uncovered security issues with the plug in back in October that allowed attackers to take over a WordPress site
After reaching out to the developer, a patch was created to counter the issue, released on version 2.1.12 toward the end of October.
The Ultimate member plugin is quite popular and used for registering users, allowing them to create individual accounts and custom roles within the WordPress site. According to the Wordfence team, attackers could use arbitrary user meta keys while registering allowing the attacker to take control over the site with a few easy keystrokes. Attackers could change roles of users, gain elevated privileges and take over as a admin. Finally on October 29th, 2020, the plugin’s developers release a patch in version 2.1.12 to correct the security issue.Wordfence users received a firewall rule on October 23rd, 2020. Those using the free version will receive it on November 20 of this year as well. We thank both Wordfence and the developer of the plugin for their prompt response to the issue.