July 1, 2023Ravi LakshmananWebsite Security / Cyber ​​Threats

200,000 WordPress websites are at risk of ongoing attacks exploiting critical unpatched security vulnerabilities in the Ultimate Member plugin.

This flaw is tracked as CVE-2023-3460 (CVSS score: 9.8) and affects all versions of the Ultimate Member plugin, including the latest version (2.6.6) released on June 29, 2023 To do.

the ultimate member popular plugins This makes it easy to create user profiles and communities on your WordPress site. It also provides account management functions.

“This is a very serious issue. An unauthenticated attacker could exploit this vulnerability to create a new user account with administrative privileges, giving them full control over the affected site.” There is,” said WordPress security company WPScan. Said Alerting.

While the details of this flaw are being withheld due to active exploitation, the new user’s wp_capabilities user meta value is changed to the administrator’s meta value and is set to gain full access to the site. This is due to improper blocklist logic.

“The plugin comes with a pre-defined list of forbidden keys that cannot be updated by the user, but the configured filters, such as utilizing different case, slashes, and character encodings in the provided meta key values. There is an easy way to bypass it, with a vulnerable version of the plugin,” said Wordfence researcher Chloe Chamberland. Said.

This problem became apparent after report Appeared The plugin maintainers have been asked to issue a partial fix in versions 2.6.4, 2.6.5, and 2.6.6 due to the addition of rogue admin accounts to the affected sites. The new update is Be expected It will be released in the near future.

Ultimate Member states in its release notes, “Privilege escalation vulnerability exploited via UM Forms.” “This vulnerability is widely known to allow strangers to create admin-level WordPress users.”

cyber security

However, WPScan pointed out that the patch is incomplete and many ways to circumvent the patch have been found, meaning the issue is still actively exploitable.

Observed attacks used this flaw to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer and upload malicious plugins and themes through the site’s admin panel. increase.

Ultimate Member users are advised to disable the plugin until a suitable patch is available that fully closes the security hole. We also recommend that you audit all administrator-level users on your website to see if unauthorized accounts have been added.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog