ShiftDelete.Net Global

WordPress plugin vulnerability: Hackers’ new tool for control

Ana sayfa / CyberSecurity

In the digital sphere, a vulnerability is akin to an open window for hackers. The latest security threat in this regard pertains to the Ultimate Member plugin on WordPress websites. An alarming number of such websites, approximately 200,000, are currently under threat due to an unpatched security flaw in the plugin.

Ultimate Member plugin flaw – an open door for hackers

The security gap, coded as CVE-2023-3460, is notable for its severity (CVSS score: 9.8) and its prevalence, impacting all versions of the Ultimate Member plugin. Even the most recent release (2.6.6), launched on June 29, 2023, is vulnerable.

The Ultimate Member plugin is a favoured tool among website builders for its ability to facilitate user-profile creation and community-building on WordPress sites. Furthermore, it provides account management features.

The WPScan, a WordPress security firm, has highlighted the potential havoc that the exploit can wreak. Unauthenticated attackers can exploit the vulnerability to create new user accounts with administrative privileges. This unauthorized control could lead to a total takeover of affected sites.

A flaw in the blocklist logic

The root of the flaw is an inadequate blocklist logic. It alters the wp_capabilities user meta value of a new user to match that of an administrator, thereby providing full access to the website. Bypassing the preset list of banned keys that the plugin uses is surprisingly simple, leaving the door open for unauthenticated users to gain access.

Rogue administrator accounts – a reality

Reports of rogue administrator accounts being added to affected sites brought the issue into the spotlight. This prompted the plugin developers to launch partial fixes with versions 2.6.4, 2.6.5, and 2.6.6. A comprehensive update is on the horizon.

Despite these efforts, the WPScan team argues that the patches are incomplete. Their findings reveal numerous ways to bypass the patches, leaving the vulnerability still open for exploitation.

Mitigation measures and the way forward

In light of these attacks, Ultimate Member users are advised to disable the plugin until a more reliable patch is released. It’s also crucial to audit all administrator-level users on the websites to identify any unauthorized accounts.

In a step towards resolution, the authors of Ultimate Member released version 2.6.7 of the plugin on July 1. This aims to address the actively exploited privilege escalation flaw. An additional security measure, a feature to enable website administrators to reset passwords for all users, is in the pipeline.

Seeking your perspective

What are your thoughts on this escalating threat from the Ultimate Member plugin flaw? We’d love to hear your insights! Please share your comments below.

Yorum Ekleyin