CVE-2019-10673

Name of the Vulnerable Software and Affected Versions Ultimate Member plugin versions prior to 2.0.40

Description A CSRF issue in the profile edit form of logged-in users allows attackers to gain admin privileges, extract sensitive information, and execute arbitrary code. This is possible because an attacker can modify the administrator's email address and then use the WordPress "password forget" form to reset the administrator's password.

Recommendations For Ultimate Member plugin versions prior to 2.0.40, update to version 2.0.40 or later to resolve the issue. As a temporary workaround, consider restricting access to the profile edit form for logged-in users until the update is applied.