Heads up, WordPress admins! Researchers have caught a zero-day vulnerability in the Ultimate Member WordPress plugin, which hackers are exploiting to gain elevated privileges on target websites. Until the patch arrives, uninstalling the plugin is the only viable option to protect your websites.
Ultimate Member Plugin Zero-Day Actively Exploited
According to a recent post from Wordfence, a severe security issue affects the Ultimate Member plugin that criminal hackers have started exploiting to target websites.
Ultimate Member is a dedicated WordPress plugin offering user profile and membership features for websites. The plugin facilitates the creation of catchy profiles and online communities with swift membership registrations.
Currently, the plugin’s official WordPress page boasts over 200,000 active installations. While this indicates the usefulness of the plugin and its subsequent popularity, it also suggests how any vulnerabilities in this plugin can directly impact thousands of websites globally.
One such critical severity vulnerability recently caught the attention of the Wordfence team. As observed, they noticed a privilege escalation vulnerability (CVE-2023-3460; CVSS 9.8) that allowed rogue admin registrations.
Specifically, the flaw existed because the plugin used a predefined list of banned user meta keys that an adversary may bypass by adding slashes to the user meta key. An unauthenticated attacker may set the
wp_capabilities user meta value to ‘administrator’ to gain admin access to the website.
Wordfence team observed numerous instances of active exploitation of this vulnerability, where the attackers created rogue accounts with usernames ‘wpenginer,’ ‘wpadmins,’ ‘wpengine_backup,’ ‘se_brutal,’ and ‘segs_brutal.’ The researchers have also shared the indicators of compromise in their post.
Patch Still Pending To Arrive Despite Efforts
Following the bug discovery and exploitation detection, the plugin developers started working on patching the flaw. However, their efforts were seemingly unsuccessful, as the vulnerability affects even the latest version 2.6.6.
According to the developers, the team has been working on fixing the vulnerability since Ultimate Member version 2.6.3. The following versions (2.6.4, 2.6.5, and 2.6.6) also aimed at ‘partially closing’ the flaw. However, they are still working on addressing the issue completely, which means the vulnerability still risks all websites.
Hence, until a patch arrives, the only workaround to protect websites from potential attacks is to disable/uninstall the plugin. Besides, the plugin developers urge the users to keep checking for updates.
Let us know your thoughts in the comments.