User was able to change admin email

  • Bug report: A user was able to login to site and somehow change our administrator email to their own gmail, while getting the site to declare that the changed email was one of our own domain.com.

    What happened:

    We were alerted when UM notified us this morning of a change of email on our admin account. What was strange was that the email UM declared as the change, was one of our own.

    As we hadn’t changed any admin emails, it was investigating that led us to log into phpadmin where we saw the user had indeed managed to change the admin email, to an external, third-party gmail account.

    Outcome:

    We do not know what mechanism the user was able to change the admin email with.

    We deleted user, and the admin account. Unfortunately in our haste to delete admin account, we lost day of work even with 2 backups of server vps.

    We have enabled 2 step authentication, prevented admin from logging in front end (admin now uses separate login with 2-step enabled) and upgraded UM to latest version.

    https://www.ads-software.com/plugins/ultimate-member/

  • The topic ‘User was able to change admin email’ is closed to new replies.