Critical bug found in Ultimate Member: 200,000 WordPress sites at risk
A security flaw in the popular WordPress plugin puts the integrity of sites at risk, allowing hackers to create administrative accounts
A dangerous vulnerability in the Ultimate Member plugin is putting over 200,000 WordPress websites at risk. This plugin, designed to facilitate user registration and login procedures, allows site owners to create user profiles, define roles, customize form fields and much more. However, a recent security vulnerability identified as CVE-2023-3460 with a CVSS score of 9.8 is allowing attackers to create new administrative accounts on WordPress sites using Ultimate Member.
Detection of fraudulent account creation
Several users of the plugin have noticed the creation of fraudulent accounts and reported their presence, indicating that the attacks have been ongoing since at least the beginning of June. The cause of the problem appears to be related to a discrepancy between the Ultimate Member plugin's blocking logic and the way WordPress handles metadata keys.
The error in handling metadata
The 'Ultimate Member' plugin uses blacklists to store metadata keys that users should not modify, checking these lists every time users attempt to register these keys when creating an account. Due to the difference in functionality between the plugin and WordPress, attackers managed to trick the plugin into updating metadata keys, including the one that stores the user's role and capabilities. This allowed the attackers to register accounts with administrator roles, a suspicious activity that was noticed and reported by at least two site owners.
Suggested security measures and actions of plugin maintainers
The maintainers of the plugin, who describe the issue as a privilege escalation bug, have tried to fix it in the last two releases of Ultimate Member, but they seem to have failed to fix it completely. However, they have acknowledged that there are active exploits of the flaw. To prevent further exploitation of the vulnerability, site owners are advised to temporarily disable the Ultimate Member plugin and audit all administrative roles on their sites for fraudulent accounts.
Follow us on Facebook for more pills like this06/30/2023 13:37
Editorial AI