Ultimate Member WordPress plugin vulnerability, with over 200,000 active setups, is being actively used on unpatched WordPress websites. The exposure is stated to need unimportant effort to bypass security filters.

Ultimate Member Plugin Vulnerability

The Ultimate Member WordPress plugin allows publishers to develop online neighborhoods on their sites.

The plugin develops a smooth procedure for user sign-ups and the production of user profiles. It’s a popular plugin specifically for subscription websites.

The free variation of the plugin has a great function set consisting of the following:

Front-end user profiles, registration, login, and publishers can likewise develop member directory sites.

Likewise, The plugin consisted of a vital defect that enabled a website visitor to develop member profiles with administrator-level opportunities.

WPScan security database explains the severity of the vulnerability:

The plugin does not avoid visitors from producing user accounts with approximate abilities, successfully enabling aggressors to produce administrator accounts at will.

This is actively being made use of in the wild.”

Failed Security Update

The vulnerability was found in late June 2023, and the publishers of Ultimate Member reacted rapidly with a spot to close the vulnerability.

That spot for the vulnerability was released in variation 2.6.5 on June 28th.

The main changelog for the plugin mentioned:

Fixed: A benefit escalation vulnerability utilized through UM Forms.

Understood in the wild that vulnerability permitted complete strangers to produce administrator-level WordPress users.

Please upgrade instantly and inspect all administrator-level users on your site.”

That repair did not completely spot the vulnerability, and hackers continued to exploit it on sites.

The security scientists at Wordfence examined the plugin and identified on June 29th that the spot did not in reality work, explaining their findings in an article:

Upon additional examination, we found that this vulnerability is being actively made use of and it hasn’ t been effectively covered in the most recent variation readily available, which is 2.6.6 at the time of this writing.”

The issue was so bad that Wordfence explained the effort required to hack the plugin as unimportant.

Wordfence discussed:

While the plugin has actually a predetermined specified list of prohibited secrets, that a user needs to not have the ability to upgrade, there are insignificant methods to bypass filters put in location such as using numerous cases, slashes, and character encoding in a provided meta essential worth in susceptible variations of the plugin.

This makes it possible for aggressors to set the wp_capabilities user meta worth, which manages the user’ s function on the website, to administrator .

This grants the enemy total access to the susceptible website when effectively made use of.”

The user level of Administrator is the most significant gain access to the story of a WordPress website.

What makes this exploit a specific issue is that this is of a class called an “ Unauthenticated Privilege Escalation, ” which suggests that a hacker doesn’t require any site to gain access to the level whatsoever in order to hack the plugin.

Ultimate Member Apologizes

The group at Ultimate Member released a public apology to their users in which they offered a complete accounting of whatever took place and how they reacted.

It must be kept in mind that most businesses release a spot and stay peaceful. It’s excellent and accountable that Ultimate Members are in advance with their clients about security events.

Ultimate Member composed:

Firstly, we wish to state sorry for these vulnerabilities in our plugin’ s code and to any site that has actually been affected and the concern this might have triggered by knowing of the vulnerabilities.

As quickly as we were warned that security vulnerabilities had actually been found in the plugin, we right away started upgrading the code to spot the vulnerabilities.

We have actually launched a number of updates considering that the disclosure as we overcame the vulnerabilities, and we wish to state a huge thank you to the group at WPScan for offering help and assistance with this after they contacted us to reveal the vulnerabilities.”

Users of the Plugin are Urged to Update Immediately

The security scientists at WPScan advise all plugin users to upgrade their websites to Version 2.6.7 instantly.

A unique statement from WPScan notes:

Hacking Campaign Actively Exploiting Ultimate Member Plugin

A brand-new variation, 2.6.7, was launched this weekend, and repairs the concern.

If you utilize Ultimate Member, upgrade to this variation as quickly as possible.

This is a really major concern: unauthenticated enemies might exploit this vulnerability to produce brand-new user accounts with administrative opportunities, providing the power to take total control of impacted websites.”

This vulnerability is ranked 9.8 on a scale of 1 to 10, with 10 being the most severe.

It is highly suggested that users of the plugin upgrade instantly.

Included image by Shutterstock/Pedro Fernandes