DO NOT INSTALL this plugin – contains malware

This is a serious allegation and I must ask how you concluded that Ultimate Member caused this. It is very possible that someone accessed your installation and added malware to the plugin.

Yeah this vulnerability is real but it’s not the explicit fault of UM, there’s a vulnerability in the file upload of user accounts I believe:
‘
https://www.ads-software.com/support/topic/malware-files-being-uploaded/

https://www.pluginvulnerabilities.com/2018/08/08/arbitrary-file-upload-vulnerability-being-exploited-in-current-version-of-ultimate-member/

This is probably going to be fixed by the time most people read this, but be super careful and make sure you have everything updated!

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

It is a serious allegation! And I would never mention it unless it was very, very serious. I do not believe it is a user data related, simply because when we did investigation, we’ve noticed that plugin downloaded some temp data (php script) into wp uploads area. Then it added malicious jquery.js link to every header.php file we had on a system.

The link was pointing to cdn.eeduelements.com/…/jquery.js. I do not know whether it was a hack on the plugin side, but we experienced it, and faced serious issues with google.

It appears that people did complain about exploits in the plugin a week ago with a new version! Is anything being done to address it?

At this point you put my account on monitor, while suggesting that I put some spammy reviews? Are you seriously doubting what I am saying?

The way to fix it at this point is to completely remove UM plugin. Luckily for us, we did not use it extensively, and it was relatively easy to get rid off. However, for other sites where it is more integrated, it might be a larger issue…

I think the developers of UM need to address it asap and clearly state that the issue was fixed!

At this point you put my account on monitor, while suggesting that I put some spammy reviews? Are you seriously doubting what I am saying?

We’re not talking about you. Someone replied to your thread and we’ve archived their replies and put them on a monitor.

Oh – I am sorry I misunderstood. I just want to make sure that people who are looking at downloading the plugin are aware of possible exploit. On a separate note… Does wordpress ban any plugins with malware until they are fixed? It is really a big issue… Until this accident I was under impression that wordpress investigates and removes the problematic plugins until the found issues are resolved. Otherwise it is really unfair to all users out there who have no idea that there are issues…

Just gonna leave this here:

https://www.inmotionhosting.com/blog/attention-wordpress-ultimate-member-plugin-users-new-security-information/