The issue enables attackers to exploit a flaw in the Ultimate Member plugin that allows the creation of rogue admin accounts.
Cybersecurity researchers have discovered ongoing attacks targeting a critical vulnerability in the widely used Ultimate Member plugin for WordPress websites. This plugin, designed to streamline user registration and login processes, is currently installed on over 200,000 active websites worldwide.
The attacks, leveraging a zero-day vulnerability, allow hackers to gain elevated privileges on target websites, potentially leading to unauthorized access and control over the affected sites.
Tracked as CVE-2023-3460, the vulnerability possesses a CVSS score of 9.8, indicating its severity. It enables attackers to exploit a flaw in the Ultimate Member plugin that allows the creation of rogue admin accounts. By manipulating predefined banned user meta keys within the plugin, attackers can add slashes to bypass the restrictions, alter the user meta key values, and set their wp capabilities to “administrator.” This grants them administrative access to the compromised websites.
Reports from the WordPress security firm WPScan suggest that the attacks have been ongoing since at least the beginning of June, with some users already observing and reporting suspicious activities, such as the creation of unauthorized administrator accounts.
The issue stems from a conflict between the plugin’s blocklist logic and the way WordPress handles metadata keys. While the plugin’s maintainers have attempted to address the privilege escalation bug in recent versions, including versions 2.6.4, 2.6.5, and 2.6.6, they have not fully patched the vulnerability.
Wordfence, another prominent security firm, also confirmed the existence of the zero-day vulnerability and warned WordPress administrators about the ongoing exploitation. They discovered instances of attackers creating rogue accounts with usernames such as “wpenginer,” “wpadmins,” “wpengine backup,” “se brutal,” and “segs brutal.”
The researchers have shared indicators of compromise (IoCs) associated with these attacks, aiding administrators in identifying potential breaches.
While the plugin developers are actively working on a patch to address the vulnerability, their efforts thus far have not fully resolved the issue. Even the latest version of Ultimate Member (2.6.6) remains vulnerable.
In the meantime, website owners are strongly advised to disable or uninstall the Ultimate Member plugin to mitigate the risk of exploitation. Additionally, administrators should conduct audits of their site’s administrator roles to identify any unauthorized accounts.