As many as 200,000 WordPress web sites are vulnerable to ongoing assaults exploiting a vital unpatched safety vulnerability within the Ultimate Member plugin.
The flaw, tracked as CVE-2023-3460 (CVSS rating: 9.8), impacts all variations of the Ultimate Member plugin, together with the newest model (2.6.6) that was launched on June 29, 2023.
Ultimate Member is a widespread plugin that facilitates the creation of user-profiles and communities on WordPress websites. It additionally supplies account administration options.
“This is a really critical challenge: unauthenticated attackers might exploit this vulnerability to create new consumer accounts with administrative privileges, giving them the facility to take full management of affected websites,” WordPress safety agency WPScan mentioned in an alert.
Although particulars in regards to the flaw have been withheld because of lively abuse, it stems from an insufficient blocklist logic put in place to change the wp_capabilities consumer meta worth of a brand new consumer to that of an administrator and achieve full entry to the positioning.
“While the plugin has a preset outlined checklist of banned keys, {that a} consumer shouldn’t be capable of replace, there are trivial methods to bypass filters put in place corresponding to using varied instances, slashes, and character encoding in a equipped meta key worth in susceptible variations of the plugin,” Wordfence researcher Chloe Chamberland mentioned.
The challenge got here to gentle after studies emerged of rogue administrator accounts being added to the affected websites, prompting the plugin maintainers to challenge partial fixes in variations 2.6.4, 2.6.5, and a couple of.6.6. A brand new replace is anticipated to be launched within the coming days.
“A privilege escalation vulnerability used by means of UM Forms,” Ultimate Member mentioned in its launch notes. “Known within the wild that vulnerability allowed strangers to create administrator-level WordPress customers.”
WPScan, nonetheless, identified that the patches are incomplete and that it discovered quite a few strategies to bypass them, that means the problem continues to be actively exploitable.
In the noticed assaults, the flaw is getting used to register new accounts beneath the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to add malicious plugins and themes by means of the positioning’s administration panel.
Users of Ultimate Member are suggested to disable the plugin till a correct patch that fully plugs the safety gap is made obtainable. It’s additionally really useful to audit all administrator-level customers on the web sites to find out if any unauthorized accounts have been added.
Ultimate Member Version 2.6.7 Released
Ultimate Member authors have launched model 2.6.7 of the plugin on July 1 to deal with the actively exploited privilege escalation flaw. As an added safety measure, additionally they plan to ship a brand new characteristic inside the plugin to allow the web site directors to reset passwords for all customers.
“2.6.7 introduces whitelisting for meta keys which we retailer whereas sending kinds,” the maintainers mentioned in an impartial advisory. “2.6.7 additionally separates type settings information and submitted information and operates them in 2 totally different variables.”