Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs

Hackers are taking advantage of a zero-day privilege escalation vulnerability found in the widely used ‘Ultimate Member’ WordPress plugin, allowing them to bypass security measures and gain unauthorized access to websites. The plugin, which has over 200,000 active installations, is designed to facilitate user sign-ups and community building on WordPress sites.

This vulnerability, identified as CVE-2023-3460 and classified as “critical” with a CVSS v3.1 score of 9.8, affects all versions of the Ultimate Member plugin, including the latest version, v2.6.6. While attempts have been made by the developers to address the flaw in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, the vulnerability still remains exploitable. The developers are actively working on resolving the remaining issues and plan to release an updated version soon.

Wordfence, a website security specialist, discovered the attacks exploiting this zero-day vulnerability. Threat actors are utilizing the plugin’s registration forms to manipulate user meta values and elevate their privileges. By modifying the “wp_capabilities” user meta value, attackers can assign themselves the role of administrators, granting them full control over the compromised site.

Although the plugin has a blocklist to prevent unauthorized upgrades, Wordfence states that bypassing this protection measure is straightforward. WordPress sites compromised through CVE-2023-3460 may exhibit various indicators, including the appearance of new administrator accounts, usage of specific usernames associated with malicious activity, log records showing access from known malicious IPs, the presence of user accounts associated with the email domain “exelica.com,” and the installation of unauthorized plugins and themes.

Due to the critical nature of the unpatched vulnerability and the ease of exploitation, Wordfence strongly advises immediate uninstallation of the Ultimate Member plugin. Even their developed firewall rule does not cover all possible exploitation scenarios, making removal the most prudent action until the vendor addresses the issue. If a compromised site is identified, complete malware scans are necessary to remove any remnants of the compromise, such as rogue admin accounts and potential backdoors created by the attackers.

Suggested Read: How to Do SEO on WordPress

Leave A Comment