200,000 WordPress websites are at risk of ongoing attacks exploiting critical unpatched security vulnerabilities in the Ultimate Member plugin.
This flaw is tracked as CVE-2023-3460 (CVSS score: 9.8) and affects all versions of the Ultimate Member plugin, including the latest version (2.6.6) released on June 29, 2023 To do.
the ultimate member popular plugins This makes it easy to create user profiles and communities on your WordPress site. It also provides account management functions.
“This is a very serious issue. An unauthenticated attacker could exploit this vulnerability to create a new user account with administrative privileges, giving them full control over the affected site.” There is,” said WordPress security company WPScan. Said Alerting.
While the details of this flaw are being withheld due to active exploitation, the new user’s wp_capabilities user meta value is changed to the administrator’s meta value and is set to gain full access to the site. This is due to improper blocklist logic.
“The plugin comes with a pre-defined list of forbidden keys that cannot be updated by the user, but the configured filters, such as utilizing different case, slashes, and character encodings in the provided meta key values. There is an easy way to bypass it, with a vulnerable version of the plugin,” said Wordfence researcher Chloe Chamberland. Said.
This problem became apparent after report Appeared The plugin maintainers have been asked to issue a partial fix in versions 2.6.4, 2.6.5, and 2.6.6 due to the addition of rogue admin accounts to the affected sites. The new update is Be expected It will be released in the near future.
Ultimate Member states in its release notes, “Privilege escalation vulnerability exploited via UM Forms.” “This vulnerability is widely known to allow strangers to create admin-level WordPress users.”
However, WPScan pointed out that the patch is incomplete and many ways to circumvent the patch have been found, meaning the issue is still actively exploitable.
Observed attacks used this flaw to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer and upload malicious plugins and themes through the site’s admin panel. increase.
Ultimate Member users are advised to disable the plugin until a suitable patch is available that fully closes the security hole. We also recommend that you audit all administrator-level users on your website to see if unauthorized accounts have been added.