Critical Zero-Day Vulnerability in ‘Ultimate Member’ WordPress Plugin Enables Cybercriminals to Compromise Websites
Cybercriminals have recently taken advantage of a zero-day privilege escalation vulnerability present in the widely used ‘Ultimate Member’ WordPress plugin. This flaw allows them to bypass security measures and register rogue administrator accounts, putting websites at risk. With over 200,000 active installations, Ultimate Member is a popular user profile and membership plugin that facilitates sign-ups and community building on WordPress sites.
Tracked as CVE-2023-3460 and classified with a CVSS v3.1 score of 9.8 (“critical”), the exploited flaw affects all versions of the Ultimate Member plugin, including the latest release, v2.6.6. Although the developers initially attempted to address the vulnerability in versions 2.6.3 to 2.6.6, there are still potential avenues for exploitation. The development team acknowledges the remaining issue and is diligently working on a comprehensive fix, aiming to release an update in the near future.
According to the Ultimate Member developers, efforts to resolve this vulnerability began with version 2.6.3 when a customer report alerted them to the issue. While versions 2.6.4, 2.6.5, and 2.6.6 partially address the vulnerability, collaboration with the WPScan team is ongoing to achieve the best possible outcome. The developers have received a detailed report from the WPScan team, aiding in their efforts to rectify the situation.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
It is crucial to note that all previous versions of the plugin remain vulnerable. Therefore, upgrading websites to version 2.6.6 and keeping up with future updates is strongly recommended to ensure recent security enhancements and feature updates are in place.
Wordfence Discovers Zero-Day Exploits
The attacks exploiting the CVE-2023-3460 zero-day vulnerability were first discovered by website security specialists at Wordfence. They have identified that threat actors leverage the plugin’s registration forms to manipulate user meta values and assign themselves arbitrary user roles, such as administrators. This unauthorized access grants them complete control over the compromised site.
Despite the plugin’s blocklist for keys that should not be upgradable, Wordfence highlights the ease with which attackers can bypass this protection measure. Websites that have fallen victim to the CVE-2023-3460 attacks exhibit certain indicators, including the appearance of new administrator accounts with usernames like wpenginer, wpadmins, wpengine_backup, se_brutal, and segs_brutal. Additionally, log records reveal access from malicious IPs to the Ultimate Member registration page, such as 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146, and 172.70.147.176. Another telltale sign is the presence of a user account associated with an email address from “exelica.com.” Moreover, compromised websites may exhibit the installation of new WordPress plugins and themes without authorized action.
Trending: Recon Tool: Logsensor
Recommendations
Due to the critical nature of the unpatched flaw and its potential for exploitation, Wordfence strongly advises immediate uninstallation of the Ultimate Member plugin. They emphasize that even their specifically developed firewall rule does not cover all potential exploitation scenarios. Therefore, removing the plugin until the vendor addresses the problem remains the only prudent course of action.
In the unfortunate event that a site has already been compromised, simply removing the plugin is insufficient to mitigate the risk. Website owners must conduct thorough malware scans to eradicate any remnants of the compromise, including the presence of rogue admin accounts and potential backdoors.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
