A significant security vulnerability has been identified in the widely used WordPress plugin, Ultimate Member, which boasts over 200,000 active installations. The flaw, labeled CVE-2024-1071, has a critical CVSS score of 9.8, indicating its severity and potential for exploitation. Security researcher Christiaan Swiers is credited with discovering and reporting this vulnerability.
According to a recent advisory from Wordfence, a security firm specializing in WordPress, the plugin versions ranging from 2.1.3 to 2.8.2 exhibit vulnerability to SQL injection attacks via the ‘sorting’ parameter. This issue arises due to inadequate escaping of user-supplied parameters, paired with insufficient preparation of the existing SQL query. Attackers exploiting this gap could inject malicious SQL queries into existing ones, enabling the extraction of sensitive information from the database.
Importantly, only those users who have selected the “Enable custom table for usermeta” setting are susceptible to this vulnerability, underlining the need for informed user configuration. Following responsible disclosure on January 30, 2024, developers released a patch on February 19, upgrading the plugin to version 2.8.3. Users are urged to promptly update to this latest version to safeguard against looming threats. In a concerning trend, Wordfence has already intercepted one attack exploiting this vulnerability within the past 24 hours.
This incident is part of a broader landscape in which vulnerabilities in plugins like Ultimate Member are increasingly targeted. Earlier in July 2023, a different vulnerability (CVE-2023-3460, scored 9.8) was actively exploited, allowing attackers to create unauthorized admin users and take control of affected sites.
Simultaneously, there is a noticeable surge in campaigns exploiting compromised WordPress sites to deploy crypto drainers, including tools like Angel Drainer. These attacks utilize phishing techniques alongside malicious code injections, posing significant risks to website operators and the security of user assets. As cautioned by Sucuri researcher Denis Sinegubko, the reliance on direct wallet interactions within the Web3 ecosystem heightens these risks.
The emergence of a new drainer-as-a-service scheme known as CG (CryptoGrab) has further complicated the security landscape, boasting substantial affiliate networks across diverse languages and geographical regions. Cyfirma’s recent report outlines how these threat actors leverage Telegram bots to facilitate their operations, allowing them to obtain domains for fraudulent activities with ease. These tools provide malicious actors with the capability to clone legitimate websites and obscure their operations through Cloudflare protections.
This situation underscores the urgency for WordPress site administrators to remain vigilant about cybersecurity practices and the implications of vulnerabilities in commonly used plugins. Equally, understanding the tactics detailed in the MITRE ATT&CK framework—such as initial access, lateral movement, and credential dumping—can enhance preparedness against potential attacks stemming from such vulnerabilities. By recognizing and addressing these risks proactively, business owners can better protect their digital assets and maintain user trust in their platforms.
As the cybersecurity landscape continues to evolve, business owners must stay informed about the latest threats and adopt a proactive stance in securing their web applications. By doing so, they not only protect their business interests but also the sensitive information of their customers.
