Uncovering the Vulnerability: 200,000 WordPress Sites at Risk Due to ‘Ultimate Member’ Plugin Flaw

*By *

In a concerning development for the security of WordPress websites, more than 200,000 sites are currently exposed to ongoing attacks targeting a critical vulnerability in the Ultimate Member plugin. The plugin is designed to facilitate user registration and login processes on WordPress sites and offers various features such as user profiles, customizable form fields, and member directories.

The vulnerability, tracked as CVE-2023-3460, has a CVSS score of 9.8, indicating its severity. It allows attackers to create new user accounts and add them to the administrators group. Some users of the plugin have reported the creation of unauthorized accounts, indicating that these attacks have been ongoing since at least the beginning of June.

According to WordPress security firm WPScan, the issue arises from a conflict between the plugin‘s blocklist logic and the way WordPress handles metadata keys. The plugin uses blocklists to prevent users from manipulating certain metadata keys during account creation. However, due to a difference in how the plugin and WordPress operate, attackers were able to exploit this vulnerability and trick the plugin into updating metadata keys, including ones that store user role and capabilities.

This exploit allows attackers to register user accounts with administrator privileges. At least two site owners have reported suspicious activity related to rogue accounts created through this vulnerability. The maintainers of the Ultimate Member plugin have attempted to address the issue in the last two versions, but it appears they have been unable to fully patch the vulnerability. Despite this, they have acknowledged the ongoing attacks.

In response to this threat, site owners are advised to disable the Ultimate Member plugin to prevent exploit of the vulnerability. They should also conduct audits of all administrator roles on their sites to identify any rogue accounts that may have been created through this vulnerability.

This incident highlights the ongoing challenges faced by WordPress site owners in ensuring the security of their websites. With plugins being an integral part of the WordPress ecosystem and offering various functionalities, it becomes crucial for site owners to regularly update their plugins and monitor for any vulnerabilities. Additionally, site owners should consider implementing a layered security approach that includes regular backups, strong user authentication measures, and web application firewalls.

While vulnerabilities and exploits are unfortunately common in the world of software, it is imperative for software developers to prioritize security and conduct thorough testing to identify and patch any vulnerabilities before they can be exploited. Users of software platforms should also remain vigilant and promptly apply any updates or patches released by developers to protect their systems and data.

Ultimately, this incident serves as a reminder that internet security is an ongoing battle. Cybercriminals are constantly devising new techniques to exploit vulnerabilities, and it is the responsibility of developers, users, and site owners to stay informed and take proactive measures to secure their systems.