Ultimate Member 2.6.7 Patches Privilege Escalation Vulnerability
Authors of the Ultimate Member plugin have released version 2.6.7 with a patch for a privilege escalation vulnerability. Last week WPScan reported that Ultimate Member had still not fully patched the vulnerability after multiple inadequate attempts. There was evidence that it was being actively exploited in the wild.
Working through the complexities of this security issue, WPScan researcher Marc Montpas opened a ticket on WordPress trac, identifying an issue with the meta key field in the usermeta table using accent insensitive collations:
Looking at the latest string of vulnerability issues that came up related to the Ultimate Member plugin I discovered that the usermeta table has an accent insensitive collation for the meta_key field. This results in queries for wp_cãpăbilitiës to return the actual wp_capabilities row! See update_metadata() function in wp-includes/meta.php