Critical Vulnerability Exposes 200,000 WordPress Sites to Attacks
A pressing cyber threat has emerged, endangering as many as 200,000 WordPress websites. The security risk stems from an unpatched vulnerability in the Ultimate Member plugin, which has been flagged as CVE-2023-3460. This flaw, scoring a critical 9.8 on the Common Vulnerability Scoring System (CVSS), affects all versions of the plugin, including the most recent release of version 2.6.6, launched on June 29, 2023.
Ultimate Member is widely utilized for creating user profiles and building communities within WordPress environments. The plugin also facilitates various account management features, making it an integral component for many website administrators. However, the current vulnerability poses a severe risk: unauthenticated attackers can exploit this flaw to create new user accounts with administrative rights, potentially granting them complete control over compromised sites, according to a warning issued by the WordPress security firm WPScan.
Though specifics regarding the vulnerability remain under wraps due to ongoing exploitation, it has been identified as originating from a weak blocklist logic. This flaw allows malicious actors to alter the wp_capabilities user meta value during the creation of new user accounts, elevating their privileges to that of an administrator. As a precautionary measure, the plugin’s developers have released partial patches in prior versions (2.6.4, 2.6.5, and 2.6.6), but WPScan has noted that these fixes may not be comprehensive enough to fully resolve the issue.
Reports surfaced on public forums about unauthorized administrative accounts being created on affected sites, triggering action from the plugin maintainers. There is speculation that attackers are leveraging this flaw to register accounts with names associated with known malicious activity. These accounts can then be used to upload harmful plugins and themes through the site’s administrative panel, posing significant risks to site integrity.
Given the severity of the situation, it is advised that users of the Ultimate Member plugin temporarily disable it until a thorough and complete patch is available. Website administrators should also conduct audits of their administrative user lists to identify any unauthorized accounts that may have been created.
In response to this ongoing threat, the developers behind Ultimate Member released version 2.6.7 on July 1, 2023. This update aims to specifically address the privilege escalation vulnerability and includes additional security measures that will enable site administrators to reset user passwords en masse. According to the release notes, this version introduces a system for whitelisting meta keys and segregates form settings data, enhancing overall security protocols.
As businesses navigate these cyber threats, awareness and proactive measures remain crucial. The MITRE ATT&CK framework identifies tactics such as initial access, persistence, and privilege escalation as likely components involved in these malicious exploits. Organizations relying on the Ultimate Member plugin should remain vigilant and stay informed about further updates from the developers as security efforts continue to evolve.
