A WordPress plugin has three critical security bugs that each allow privilege escalation and potentially full control over a target WordPress site. The Ultimate Member plugin, called Ultimate Member, allows web admins to add user profiles and membership areas to their web destinations. The flaws make it possible for both authenticated and unauthenticated attackers to escalate their privileges during registration, to attain the status of an administrator. The third bug is a 9.9 out of 10 on the severity scale due to a lack of capability checks on the Profile Update function of the plugin.
Source: https://threatpost.com/ultimate-member-plugin-wordpress-site-takeover/161053/