Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress Ultimate Member 2.6.6 Privilege Escalation

WordPress Ultimate Member plugin versions 2.6.6 and below suffer from a privilege escalation vulnerability.

Packet Storm
#vulnerability#web#wordpress#intel#auth
Description: Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates Affected Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership PluginPlugin Slug: ultimate-memberAffected Versions: <= 2.6.6CVE ID: CVE-2023-3460CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Unknown, Marc-Alexandre MontpasFully Patched Version: NONEThe Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6. This is due to the plugin using a predefined list of user meta keys that are banned which can be bypassed via a few method like adding slashes to the user meta key. This makes it possible for unauthenticated attackers to register on a site as an administrator.Vulnerable MechanismUltimate Member is a plugin designed to add easy registration and account management to WordPress sites. One of the features is a registration form that users can use to sign up for an account on a WordPress site running the plugin. Unfortunately, this form makes it possible for users to register and set arbitrary user meta values for their account.While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.This makes it possible for attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to ‘administrator’. This grants the attacker complete access to the vulnerable site when successfully exploited.Indicators of CompromiseWhile our attack data is limited at this point, we do have the following indicators of compromise from a separate pre-existing firewall rule that provided partial coverage for this vulnerability. We recommend running a complete Wordfence malware scan to ensure your site is not compromised if you are running Ultimate Member, and keeping an eye out for the following indicators of compromise.- The most important thing to check for is new user accounts created with administrator privileges.- We are seeing the following usernames in our attack data:- wpenginer- wpadmins- wpengine_backup- se_brutal- segs_brutal- Access log entries showing attackers hitting a compromised site’s Ultimate Member registration page, which is set on the /register path by default.- Look for the following IP Addresses in a site’s access logs, or in the Wordfence plugin’s live traffic feed.- 146.70.189.245- 103.187.5.128- 103.30.11.160- 103.30.11.146- 172.70.147.176- The following domain has been associated with user account email addresses.- exelica[.]com- Check for plugins and themes that may not have been installed previously.If your site has been compromised by this exploit, we offer professional site cleaning services through Wordfence Care, with Wordfence Response providing an expedited turnaround time. Alternatively, if you’re comfortable with doing so we provide instructions on how to clean your site using the free Wordfence plugin.ConclusionIn today’s PSA, we covered a Critical-severity Privilege Escalation vulnerability in Ultimate Member that is being actively exploited. The vulnerability remains unpatched and can quickly allow unauthenticated users to automatically take over any site with the plugin installed. This means that all 200,000 installations are currently at risk. We recommend verifying that this plugin is not installed on your site until a patch is made available, and forwarding this advisory to anyone you know who manages a WordPress website.While the firewall rule we released today should protect Wordfence Premium, Wordfence Care, and Wordfence Response users from site takeover, the Ultimate Member plugin contains additional functionality that is impractical to block which could potentially be abused by a sophisticated attacker in combination with vulnerabilities in other software. As such we recommend uninstalling the plugin even if you are protected by our firewall rule, as it minimizes but does not fully eliminate the risk presented by this vulnerability.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.Special thank you to Ramuel Gall, Wordfence Senior Security Researcher, and István Márton, Wordfence Vulnerability Researcher, for their assistance reverse engineering this vulnerability and for contributing to this post!

Related news

CVE-2023-3460

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

Zero-Day Exploit Threatens 200,000 WordPress Websites

By Habiba Rashid Tracked as CVE-2023-3460, the zero-day vulnerability possesses a CVSS score of 9.8, indicating its severity. This is a post from HackRead.com Read the original post: Zero-Day Exploit Threatens 200,000 WordPress Websites

Unpatched WordPress Plugin Flaw Could Let Hackers Create Secret Admin on 200,000 Sites

As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin. The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023. Ultimate Member is a popular plugin that facilitates the

Packet Storm: Latest News

Ubuntu Security Notice USN-7121-3