Title: Unpatched Security Vulnerability in Ultimate Member Plugin for WordPress
Date: 05/07/2023
Link: The HackerNews
Introduction
We would like to inform our valued clients about a critical security vulnerability affecting the popular Ultimate Member plugin for WordPress. This vulnerability poses a significant risk to your website’s security, allowing attackers to create new user accounts with administrative privileges. Immediate action is recommended to protect your website from potential exploits.
The impact
The vulnerability affects all versions of the Ultimate Member plugin, including the latest release (2.6.6) on June 29, 2023.
Attackers can exploit this flaw to create administrator-level accounts, giving them complete control over affected websites.
Partial fixes have been released, but they are considered incomplete, leaving the vulnerability actively exploitable.
Attack Patterns
Attackers have been observed registering new accounts with rogue administrator usernames.
These unauthorized accounts are used to upload malicious plugins and themes through the site’s administration panel.
Plugin Url: https://wordpress.org/plugins/ultimate-member/
Recommended Actions
Disable the Ultimate Member Plugin:
- Until a comprehensive patch is made available, we strongly advise disabling the Ultimate Member plugin on your WordPress website.
- This step will mitigate the risk of attackers exploiting the vulnerability and gaining unauthorized access.
Audit Administrator-Level Users:
- Conduct an immediate audit of all administrator-level user accounts on your website.
- Verify the legitimacy of each account and remove any unauthorized or suspicious entries.
Stay Informed:
- Regularly monitor updates and advisories from the Ultimate Member plugin maintainers regarding a comprehensive patch.
- Stay vigilant for any security notifications or recommendations provided by our team.