If you run a WordPress site with the Ultimate Members plugin installed, make sure you’ve updated it to the latest version.

Over the weekend, the plugin’s creator published version 2.6.7, which is supposed to patch a serious security hole [...]

A critical vulnerability in the plugin (CVE-2023-3460) allows an unauthenticated attacker to register as an administrator and take full control of the website. The problem occurs with the plugin registration form. In this form it appears possible to change certain values for the account to be registered. This includes the wp_capabilities value, which determines the user’s role on the website.