Critical Security Vulnerability in ‘Ultimate Member’ Plugin Puts Over 200,000 WordPress Sites at Risk
A critical security flaw, known as CVE-2023-3460, has been recently discovered in the widely used ‘Ultimate Member’ plugin, posing a serious concern for website owners. This vulnerability allows attackers to add unauthorized user accounts to the administrators group, granting them elevated privileges. Since June, this bug has been actively exploited, resulting in the creation of suspicious and unauthorized accounts. As a result, more than 200,000 WordPress websites are currently at risk due to this critical security vulnerability. The flaw exposes websites to ongoing attacks and poses a significant threat to site owners.
Understanding the ‘Ultimate Member' Plugin:
The 'Ultimate Member' plugin is designed to streamline the registration and login processes on WordPress sites. It enhances the user experience by offering features such as user profile creation, role definition, custom form fields, and member directories.
Exploiting the Vulnerability:
The 'Ultimate Member' plugin contains a critical security flaw, tracked as CVE-2023-3460. This flaw allows attackers to create unauthorized user accounts with administrator-level privileges. Users of the plugin have reported the creation of suspicious accounts since June, indicating active exploitation of this vulnerability.
Description: Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates
Affected Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: <= 2.6.6
CVE ID: CVE-2023-3460
CVSS Score: 9.8 (Critical)
In simpler terms, the vulnerability in the 'Ultimate Member' plugin enables hackers to gain unauthorized access and control over websites by creating accounts with administrator-level privileges. Website owners must promptly address this issue to protect their websites and prevent further unauthorized access.
Root Cause of the Issue:
The vulnerability in the 'Ultimate Member' plugin can be attributed to a conflict between the plugin's blocklist logic and how WordPress handles metadata keys. WordPress is a popular content management system (CMS) used for creating and managing websites. Metadata keys are information tags attached to data that provide additional context and description. The plugin utilizes blocklists to store metadata keys that should not be altered to maintain data integrity. During account creation, the plugin cross-checks specific keys against these blocklists.
However, attackers have exploited the discrepancy between the plugin and WordPress. By manipulating metadata keys, including the one responsible for storing user role and capabilities, they gain unauthorized access and manipulate the system. This operational disparity has allowed them to bypass the plugin's security measures and carry out malicious activities.
Patching Efforts and Acknowledgment:
The maintainers of the 'Ultimate Member' plugin have attempted to address the vulnerability in the last two plugin versions. However, these attempts have not fully patched the flaw. Nonetheless, the plugin maintainers have acknowledged the ongoing exploitation of the vulnerability in real-world scenarios.
Mitigation Measures for Site Owners:
To protect their websites from potential exploitation, site owners are strongly advised to disable the 'Ultimate Member' plugin. This step will help prevent further compromise resulting from the vulnerability. Additionally, site owners should conduct a thorough audit of administrator roles to identify any rogue accounts that might have been created.
The discovery of a critical security vulnerability CVE-2023-3460 in the 'Ultimate Member' plugin puts more than 200,000 WordPress websites at risk. Site owners need to understand the seriousness of the issue, including its root cause and the ongoing exploitation by attackers. By promptly disabling the vulnerable plugin and conducting thorough website audits, site owners can mitigate the potential impact of these security risks.
Protecting WordPress websites from potential cyber attacks and safeguarding user data should be the top priority. To achieve this, site owners are encouraged to prioritize security measures and implement robust security solutions. Armoryze offers comprehensive web application and API protection services, as well as risk-based vulnerability management services. These services can fortify your website's defenses and proactively identify, detect and prevent vulnerability exploitation.
Don't wait for an attack to happen. Schedule a FREE consultation with Armoryze today to discuss your specific security needs and develop a tailored strategy to protect your WordPress website. By partnering with us and taking proactive steps, you can ensure the safety and integrity of your website and the data it holds.