200,000 WordPress websites are at risk of ongoing attacks exploiting critical unpatched security vulnerabilities in the Ultimate Member plugin.
This flaw is tracked as CVE-2023-3460 (CVSS score: 9.8) and affects all versions of the Ultimate Member plugin, including the latest version (2.6.6) released on June 29, 2023 To do.
Ultimate Member is a popular plugin that makes it easy to create user profiles and communities on your WordPress site. It also provides account management functions.
“This is a very serious issue. An unauthenticated attacker could exploit this vulnerability by creating a new user account with administrative privileges and granting them full control over the affected site. There is,” said WordPress security firm WPScan in a warning.
While the details of this flaw are being withheld due to active exploitation, the new user’s wp_capabilities user meta value is changed to the administrator’s meta value and is set to gain full access to the site. This is due to improper blocklist logic.
“The plugin comes with a pre-defined list of forbidden keys that cannot be updated by the user, but the configured filters, such as utilizing different case, slashes, and character encodings in the provided meta key values. There is an easy way to bypass it, with a vulnerable version of the plugin,” said Wordfence researcher Chloe Chamberland.
The issue was revealed by reports of a rogue administrator account being added to affected sites, and the plugin’s administrator was I was prompted to issue a partial fix. A new update will be released in the next few days.
Ultimate Member states in its release notes, “Privilege escalation vulnerability exploited via UM Forms.” “This vulnerability is widely known to allow strangers to create admin-level WordPress users.”
However, WPScan pointed out that the patch is incomplete and many ways to circumvent the patch have been found, meaning the issue is still actively exploitable.
Observed attacks used this flaw to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer and upload malicious plugins and themes through the site’s admin panel. .
Ultimate Member users are advised to disable the plugin until a suitable patch is available that fully closes the security hole. We also recommend that you audit all administrator-level users on your website to see if unauthorized accounts have been added.
