Website creation platform WordPress, the most popular worldwide, is under threat. According to recent reports, the ‘Ultimate Member’ plugin exposes over 200,000 WordPress websites to potential attacks. As a result of this flaw (with a severity score of 9.8), cybercriminals have ripe opportunities to compromise countless websites.
Unveiling The ‘Ultimate Member’ Plugin
In addition to providing a seamless user experience, the ‘Ultimate Member plugin provides a user-friendly interface for registering and logging in to websites. It empowers site owners by adding user profiles, creating custom form fields, defining roles, and creating member directories. The recent discovery of a security flaw has raised concerns among its users despite its impressive features.
The Exploitable Flaw: CVE-2023-3460
CVE-2023-3460 vulnerability allows attackers to manipulate the plugin and add a new administrator account. A few users have reported suddenly creating rogue accounts, with these attacks possibly active since June.
A conflict between the plugin’s blocklist logic and the way WordPress processes metadata keys is believed to be the cause of the flaw, according to WordPress security firm WPScan.
In Ultimate Member, users cannot tamper with metadata keys that are stored in blocklists, and these lists are verified whenever these keys are attempted to be registered. WordPress and the plugin have operational discrepancies that have allowed attackers to update metadata keys, including those with user roles and capabilities.
As a result of this manipulation, attackers could register user accounts with administrator rights, which raised alarm bells among at least two site owners who noticed and reported the suspicious activity.
Incomplete Solution and Ongoing Exploitation
As a result of the privilege escalation bug, the plugin’s developers have tried to fix it in the recent versions of ‘Ultimate Member.’ Unfortunately, these efforts have been unsuccessful, leading to ongoing exploitation of this vulnerability.
To prevent further exploitation, developers encourage site owners to temporarily disable the ‘Ultimate Member’ plugin while they work on a comprehensive fix. Further, they should audit all site administrator roles to identify rogue accounts.
Protecting WordPress Sites
Therefore, website owners using the ‘Ultimate Member’ plugin must take immediate precautionary measures to safeguard their sites in light of this precarious situation. Keeping your website updated and proactively maintaining its security is more important than ever as this story unfolds.
References
Arghire, I. (2023, June 30). 200,000 wordpress sites exposed to attacks exploiting flaw in ‘ultimate member’ plugin. SecurityWeek. https://www.securityweek.com/200000-wordpress-sites-exposed-to-attacks-exploiting-flaw-in-ultimate-member-plugin/
The Guru's World 
Leave a comment