CVE-2020-36156

Name of the Vulnerable Software and Affected Versions: Ultimate Member plugin versions prior to 2.1.12

Description: An issue allows authenticated privilege escalation via profile update. Any user with access to the profile.php page can supply the parameter um-role with a value set to any role, such as Administrator, during a profile update, effectively escalating their privileges.

Recommendations: For Ultimate Member plugin versions prior to 2.1.12, update to version 2.1.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the profile.php page and the um-role parameter to minimize the risk of exploitation.