As many as 200,000 WordPress websites face a critical security vulnerability in the popular Ultimate Member plugin, posing a significant risk to site owners and administrators. Tracked as CVE-2023-3460 with a CVSS score of 9.8, this flaw allows attackers to gain unauthorized administrative privileges by creating rogue user accounts. Despite attempts to patch the issue, the plugin’s maintainers have acknowledged that the vulnerability remains actively exploited. This article explores the vulnerability details and provides recommendations to mitigate the risk.
The Vulnerability:
Ultimate Member is a widely used WordPress plugin that simplifies user registration and login processes while offering features such as user profiles and custom form fields. However, a security defect in the plugin has been identified, enabling attackers to add new user accounts with administrator privileges. The flaw stems from a conflict between the plugin’s blocklist logic and how WordPress handles metadata keys.
Attackers exploited the vulnerability by tricking the plugin into updating metadata keys, including the one responsible for storing user roles and capabilities. This manipulation allowed them to register user accounts with administrator privileges, compromising the affected websites. The attacks have been ongoing since at least June, with multiple instances of rogue accounts being reported.
Impacted Websites and Partial Fixes:
Approximately 200,000 WordPress websites that utilize the Ultimate Member plugin are at risk of exploitation. Even the latest version of the plugin, released on June 29, 2023, remains vulnerable to the flaw. WordPress security firm WPScan has emphasized the severity of the issue, warning that unauthenticated attackers can gain complete control over affected sites by creating new user accounts with administrative privileges.
The plugin maintainers have tried to address the vulnerability in recent versions, including 2.6.4, 2.6.5, and 2.6.6. However, these patches have been deemed incomplete by WPScan, as they discovered several methods to circumvent the fixes. As a result, the issue remains exploitable, putting website owners at continued risk.
Recommended Actions:
In light of the ongoing vulnerability, site owners are strongly advised to disable the Ultimate Member plugin until a comprehensive patch is available. This precautionary measure helps prevent unauthorized access and potential compromise of sensitive data. Additionally, auditing all administrator roles on WordPress websites is crucial to identify any rogue accounts that may have been created.
Ultimate Member released version 2.6.7 of the plugin on July 1, aiming to address the privilege escalation flaw. The update includes a whitelisting feature for meta keys and introduces a separate operation for form settings data and submitted data to enhance security. Furthermore, the plugin maintainers plan to implement a new feature that allows website administrators to reset passwords for all users, adding an extra layer of protection against potential attacks.
Conclusion:
The critical security vulnerability in the Ultimate Member WordPress plugin has exposed thousands of websites to the risk of unauthorized access and compromise. Despite attempts to patch the flaw, the plugin’s maintainers have acknowledged the ongoing exploitation and the incomplete nature of the fixes. To safeguard their websites, site owners should promptly disable the plugin and conduct thorough administrator role audits. Keeping a close eye on updates from Ultimate Member and promptly applying comprehensive patches will be essential to mitigating the security risks associated with this vulnerability.
