CVE-2024-43240: 
WordPress vulnerability analysis and mitigation

The Ultimate Membership Pro WordPress plugin contains a critical vulnerability (CVE-2024-43240) that allows for privilege escalation. This vulnerability affects versions up to 12.6 of the plugin and has been assigned a CVSS score of 9.8 (Critical). The issue was discovered by security researcher Rafie Muhammad and was publicly disclosed on August 12, 2024 (Patchstack, WPScan).

The vulnerability stems from improper privilege management where the plugin fails to properly restrict access to functionality that allows privilege assignment. The issue allows unauthenticated users to supply $postData['lid'] which gets constructed into a $levelData variable containing custom membership levels. Through the $levelData['customrolelevel'] variable, attackers can gain access to higher-privilege roles (Security Online).

With approximately 40,000 websites using this plugin, the vulnerability's impact is significant. While the plugin's default settings do not permit administrator-level access, attackers can still gain unauthorized access to high-privilege or custom roles, potentially compromising website security and accessing restricted content (Security Online).

Website administrators are strongly advised to update to version 12.8 or later of the Ultimate Membership Pro plugin to patch this vulnerability. This update addresses the privilege escalation issue and prevents unauthorized access to higher-privilege roles (WPScan).