Ultimate Member Profile Privacy Setting Bypass Vulnerability

A vulnerability allowing profile privacy setting bypass has been identified in the Ultimate Member plugin for WordPress, affecting all versions through 2.11.0. This issue arises from a flaw in the secure fields mechanism, where field keys are added to the allowed fields list before the required permission check is applied during rendering. As a result, authenticated attackers with Subscriber-level access can manipulate their profile privacy settings, such as selecting 'Only me', even if the administrator has disabled this option for their role.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access to bypass profile privacy restrictions, potentially leading to unauthorized visibility of personal information or activities.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access can manually adjust the parameters related to profile privacy settings. This can be done through the account management features provided by the Ultimate Member plugin, specifically by navigating to the privacy tab and selecting a privacy option that has been disabled by the administrator.

Remediation

Users are advised to update the Ultimate Member plugin to version 2.11.1 or later, where this vulnerability has been patched.