We can’t emphasize enough that you should not use the plugin Ultimate Member as the plugin has been riddled with security vulnerabilities including one that was widely exploited last year and was slow to be fixed, due to what appears to be a lack of interest by the developer in getting it secure. That lack of interest is particularly problematic due to the fact that the plugin has 100,000+ active installations according to wordpress.org. The latest vulnerability found in it is yet another reminder of that, as the developer attempted to fix a serious vulnerability, but used the wrong code, so there is still a vulnerability, though less easily exploited. The continuation of the vulnerability also involves a security failure in WordPress that was warned about back in February of 2011, but still hasn’t been resolved despite being continually being implicated in widely exploited vulnerabilities.
In our previous post we mentioned how Wordfence was lying about us related to a vulnerability in the plugin Related Posts (Yuzo Related Posts), but they also got something else wrong that is worth noting. One section of their post titled “is_admin() Strikes Again”. In that they write this:
As was mentioned in more details on the post on the other vulnerability we found in the plugin BePro Listing, we recently had a request for a file from the plugin, which indicated that someone might be trying to exploit something in this plugin. While that arbitrary file upload vulnerability is probably what hackers are looking to exploit. The plugin also has a vulnerability that allows anyone to delete posts from a website with this plugin enabled.
One reoccurring cause of security issues in WordPress plugins is the misuse of the function is_admin(). Based on its name you might reasonably assume that it checks if someone is Administrator level user in WordPress and that seems to have tripped up lots of plugin developers. In reality it just “checks if the Dashboard or the administration panel is attempting to be displayed”. It will also “return true when trying to make an ajax request (both front-end and back-end requests)”.