Headline
Zero-Day Exploit Threatens 200,000 WordPress Websites
By Habiba Rashid Tracked as CVE-2023-3460, the zero-day vulnerability possesses a CVSS score of 9.8, indicating its severity. This is a post from HackRead.com Read the original post: Zero-Day Exploit Threatens 200,000 WordPress Websites
The issue enables attackers to exploit a flaw in the Ultimate Member plugin that allows the creation of rogue admin accounts.
Cybersecurity researchers have discovered ongoing attacks targeting a critical vulnerability in the widely used Ultimate Member plugin for WordPress websites. This plugin, designed to streamline user registration and login processes, is currently installed on over 200,000 active websites worldwide.
The attacks, leveraging a zero-day vulnerability, allow hackers to gain elevated privileges on target websites, potentially leading to unauthorized access and control over the affected sites.
Tracked as CVE-2023-3460, the vulnerability possesses a CVSS score of 9.8, indicating its severity. It enables attackers to exploit a flaw in the Ultimate Member plugin that allows the creation of rogue admin accounts. By manipulating predefined banned user meta keys within the plugin, attackers can add slashes to bypass the restrictions, alter the user meta key values, and set their wp capabilities to “administrator.” This grants them administrative access to the compromised websites.
Reports from the WordPress security firm WPScan suggest that the attacks have been ongoing since at least the beginning of June, with some users already observing and reporting suspicious activities, such as the creation of unauthorized administrator accounts.
The issue stems from a conflict between the plugin’s blocklist logic and the way WordPress handles metadata keys. While the plugin’s maintainers have attempted to address the privilege escalation bug in recent versions, including versions 2.6.4, 2.6.5, and 2.6.6, they have not fully patched the vulnerability.
Wordfence, another prominent security firm, also confirmed the existence of the zero-day vulnerability and warned WordPress administrators about the ongoing exploitation. They discovered instances of attackers creating rogue accounts with usernames such as “wpenginer,” “wpadmins,” “wpengine backup,” “se brutal,” and “segs brutal.”
The researchers have shared indicators of compromise (IoCs) associated with these attacks, aiding administrators in identifying potential breaches.
While the plugin developers are actively working on a patch to address the vulnerability, their efforts thus far have not fully resolved the issue. Even the latest version of Ultimate Member (2.6.6) remains vulnerable.
In the meantime, website owners are strongly advised to disable or uninstall the Ultimate Member plugin to mitigate the risk of exploitation. Additionally, administrators should conduct audits of their site’s administrator roles to identify any unauthorized accounts.
- 7 Tips to Increase Your WordPress Security
- What To Look For In The Best WordPress Hosting
- Steps to follow before granting WordPress admin access
- 5 Signs your WordPress Site is Hacked (And How to Fix It)
- Critical WordPress plugin vulnerability allowed wiping databases
I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.
Related news
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin. The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023. Ultimate Member is a popular plugin that facilitates the
WordPress Ultimate Member plugin versions 2.6.6 and below suffer from a privilege escalation vulnerability.