On June 29, 2023, the Wordfence Threat Intelligence Team became aware of an unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites, through our vulnerability changelog monitoring we do to ensure the Wordfence Intelligence Vulnerability Database has the most up to date and accurate information. Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.
Once we determined the root cause, we released a firewall rule to help protect our Wordfence Premium customers. Wordfence free users will receive the same protection in 30 days on July 29th, 2023. As the latest version of the plugin, 2.6.6, is not fully patched, we recommend uninstalling the plugin until a complete patch has been released.