[IMG]https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiZVf0HbAKLFAbfFFvfZ9TvaBvV8QJWphGcMYCBkWsdA8qBN01Z2YQPV3eikPxDWYcvRgf8yCPa2IkmflDCmBL4QJ2un4vIq_ijCHdVMgGsio4q2EYZbm1GUnQ9pZseg8OtgN1-DaMzEeoHrynKPns7CBPtNJeId0pT0x1lGGUi2WtJI4saEMCTgHg6VL4/s728-e3650/wordpress-hacking.jpg[/IMG]
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin.
The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023.
Ultimate Member is a
"This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," WordPress security firm WPScan
Although details about the flaw have been withheld due to active abuse, it stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator and gain full access to the site.
"While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin," Wordfence researcher Chloe Chamberland
The issue came to light after
"A privilege escalation vulnerability used through UM Forms," Ultimate Member said in its release notes. "Known in the wild that vulnerability allowed strangers to create administrator-level WordPress users."
WPScan, however, pointed out that the patches are incomplete and that it found numerous methods to circumvent them, meaning the issue is still actively exploitable.
In the observed attacks, the flaw is being used to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to upload malicious plugins and themes through the site's administration panel.
Users of Ultimate Member are advised to disable the plugin until a proper patch that completely plugs the security hole is made available. It's also recommended to audit all administrator-level users on the websites to determine if any unauthorized accounts have been added.
Ultimate Member Version 2.6.7 Released
Ultimate Member authors have
"2.6.7 introduces whitelisting for meta keys which we store while sending forms," the maintainers
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin.
The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023.
Ultimate Member is a
You do not have permission to view link
Log in or register now.
that facilitates the creation of user-profiles and communities on WordPress sites. It also provides account management features."This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," WordPress security firm WPScan
You do not have permission to view link
Log in or register now.
in an alert.Although details about the flaw have been withheld due to active abuse, it stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator and gain full access to the site.
"While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin," Wordfence researcher Chloe Chamberland
You do not have permission to view link
Log in or register now.
.The issue came to light after
You do not have permission to view link
Log in or register now.
You do not have permission to view link
Log in or register now.
of rogue administrator accounts being added to the affected sites, prompting the plugin maintainers to issue partial fixes in versions 2.6.4, 2.6.5, and 2.6.6. A new update is
You do not have permission to view link
Log in or register now.
to be released in the coming days."A privilege escalation vulnerability used through UM Forms," Ultimate Member said in its release notes. "Known in the wild that vulnerability allowed strangers to create administrator-level WordPress users."
You do not have permission to view link
Log in or register now.
WPScan, however, pointed out that the patches are incomplete and that it found numerous methods to circumvent them, meaning the issue is still actively exploitable.
In the observed attacks, the flaw is being used to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to upload malicious plugins and themes through the site's administration panel.
Users of Ultimate Member are advised to disable the plugin until a proper patch that completely plugs the security hole is made available. It's also recommended to audit all administrator-level users on the websites to determine if any unauthorized accounts have been added.
Ultimate Member Version 2.6.7 Released
You do not have permission to view link
Log in or register now.
Ultimate Member authors have
You do not have permission to view link
Log in or register now.
version 2.6.7 of the plugin on July 1 to address the actively exploited privilege escalation flaw. As an added security measure, they also plan to ship a new feature within the plugin to enable the website administrators to reset passwords for all users."2.6.7 introduces whitelisting for meta keys which we store while sending forms," the maintainers
You do not have permission to view link
Log in or register now.
in an independent advisory. "2.6.7 also separates form settings data and submitted data and operates them in 2 different variables."
