Wednesday, February 28, 2024
HomeSECURITYVulnerability in Ultimate Member Plugin Gives Full Access to WordPress

Vulnerability in Ultimate Member Plugin Gives Full Access to WordPress


How to Hack a Website in 5 Minutes: Vulnerability in Ultimate Member Plugin Gives Full Access to WordPress

200 thousand websites are at risk.

The vulnerability, identified as CVE-2023-3460 (CVSS score: 9.8), affects all versions of the Ultimate Member plugin, including the latest version (2.6.6), which was released on June 29, 2023.

Ultimate Member is a popular plugin that allows you to create user profiles and communities on websites WordPress. It also provides account management features.

“This is a very serious problem: unauthenticated attackers can use this vulnerability to create new user accounts with administrative privileges, giving them full control over infected sites,” according to a warning from WordPress security company WPScan.

In order to prevent active abuse, details about the vulnerability in this case are not disclosed. However, it is associated with a flaw in the blocking logic. This flaw allows attackers to modify the value of the wp_capabilities parameter in the new user’s metadata, assigning him the status of an administrator and thus providing himself with full access to the site.

“While the plugin has a predefined list of forbidden keys that the user should not be able to update, there are trivial ways to bypass the filters set in vulnerable versions of the plugin, such as using different case, slashes, and character encodings in the passed key metadata value,” the researcher said. Wordfence Chloe Chamberlain.

The issue was discovered after reports surfaced that fake administrative accounts were being added on affected sites, leading the plugin developers to release partial fixes in versions 2.6.4, 2.6.5, and 2.6.6. A new update is expected in the coming days.

“A privilege escalation vulnerability exploited through Ultimate Member forms has been discovered in the wild,” reads the release notes for the latest release of Ultimate Member. “This vulnerability allows unauthorized parties to create WordPress users with administrator rights.”

“WPScan expresses concern that the current fixes are incomplete and indicates that there are many methods to work around them. This indicates that the vulnerability continues to be actively exploited,” WPScan said in a statement.

In the observed attacks, the vulnerability is used to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup and wpenginer to download malicious plugins and themes through the site administration panel.

Ultimate Member users are advised to disable the plugin until a proper patch is released that will completely fix the vulnerability. It’s also a good idea to check all user accounts with administrator rights on the sites to determine if any unauthorized accounts have been added.

On July 1, the developers of the Ultimate Member plugin released version 2.6.7, in which they tried to fix an actively exploited vulnerability that allows elevating user privileges. As an added security measure, they also plan to introduce a new feature to the plugin that will allow website administrators to reset the passwords of all users.

“Version 2.6.7 is the introduction of a whitelist for meta keys that are preserved across form submissions,” the developers said in their self-supported newsletter. “In addition, 2.6.7 separates the form settings data from the submitted data, treating them as two separate variables.”

Source link


Please enter your comment!
Please enter your name here

Most Popular