The latest WordPress membership plugin vulnerability, with over 200,000 active installations, is being actively exploited on unpatched WordPress sites. The vulnerability is said to require trivial effort to bypass security filters.
End-Member Plugin Vulnerability
The WordPress Ultimate Member plugin allows publishers to create online communities on their websites.
The plugin works by creating a frictionless process for user registrations and user profile creation. It is a popular plugin especially for membership sites.
The free version of the plugin has an extensive feature set including:
Front-end user profiles, registration, login, and editors can also create member directories.
The plugin also contained a critical flaw that allowed a site visitor to create member profiles with essentially administrator-level privileges.
WPScan security database describes the severity of the vulnerability:
“The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, allowing attackers to create administrator accounts at will.
This is being actively exploited in the wild.”
Security update failed
The vulnerability was discovered in late June 2023, and the Ultimate Member editors quickly responded with a patch to close the vulnerability.
This patch for the vulnerability was released in version 2.6.5, released on June 28.
the officer changelog for the plugin he said:
“Fixed: A privilege escalation vulnerability used via UM forms.
The vulnerability is known in the wild to allow strangers to create admin-level WordPress users.
Update immediately and check all admin-level users on your website.
However, this fix did not fully patch the vulnerability and hackers continued to exploit it on websites.
Wordfence security researchers analyzed the plugin and determined on June 29 that the patch was not working. describing their findings in a blog post:
“Upon further investigation, we discovered that this vulnerability is being actively exploited and has not been properly patched in the latest version available, which is 2.6.6 at the time of writing.”
The problem was so severe that Wordfence described the effort required to hack the plugin as trivial.
“Although the plugin has a predefined list of forbidden keys, which a user should not be able to update, there are trivial ways to bypass the established filters, such as using multiple cases, slashes, and character encoding in a value of provided meta-key.in vulnerable versions of the plugin.
This makes it possible for attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to “admin”.
This allows the attacker full access to the vulnerable site when successfully exploited.”
The admin user level is the highest level of access on a WordPress site.
What makes this exploit particularly worrisome is that it’s a class called “unauthenticated privilege escalation,” meaning that a hacker doesn’t need any level of access to the website in order to hack the plugin.
The end member apologizes
The Ultimate Member team released a public apology to their users in which they provided a full account of everything that happened and how they responded.
Keep in mind that most companies issue a patch and keep quiet. Therefore, it is commendable and responsible for Ultimate Member to be honest with its customers about security incidents.
“First of all, we want to apologize for these vulnerabilities in our plugin code and for any affected websites and the concern this may have caused upon learning of the vulnerabilities.
As soon as we became aware that security vulnerabilities had been discovered in the plugin, we immediately began updating the code to fix the vulnerabilities.
We’ve released several updates since the disclosure while working on the vulnerabilities, and we’d like to thank the WPScan team for providing assistance and guidance with this after they were contacted to disclose the vulnerabilities.”
Plugin users are urged to update immediately
WPScan security researchers urge all plugin users to update their sites to version 2.6.7 immediately.
A special announcement from WPScan notes:
Hacking campaign that actively exploits the Ultimate Member plugin
“A new version, 2.6.7, was released this weekend that fixes the issue.
If you are using Ultimate Member, please upgrade to this version as soon as possible.
This is a very serious problem: unauthenticated attackers can exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take full control of the affected sites.”
This vulnerability has a rating of 9.8 on a scale of 1 to 10, with ten being the most serious level.
It is highly recommended that users of the plugin update immediately.
Featured image by Shutterstock/pedrorsfernandes
[ad_2]
Source link
