Security researchers at Wordfence uncovered alarming information regarding an unpatched privilege escalation vulnerability in Ultimate Member, a WordPress plugin installed on over 200,000 sites,

This vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.

The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6. This is due to the plugin using a predefined list of user meta keys that are banned which can be bypassed via a few methods like adding slashes to the user meta key. This makes it possible for unauthenticated attackers to register on a site as an administrator.

Ultimate Member is a plugin designed to add easy registration and account management to WordPress sites. One of the features is a registration form that users can use to sign up for an account on a WordPress site running the plugin. Unfortunately, this form makes it possible for users to register and set arbitrary user meta values for their accounts.

While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.

Buy Me A Coffee

This makes it possible for attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to ‘administrator’. This grants the attacker complete access to the vulnerable site when successfully exploited.

READ
Airtel Denies Data Breach of 375 Million Users

WordPress sites hacked using CVE-2023-3460 in these attacks will show the following indicators:

  • Appearance of new administrator accounts on the website
  • Usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal
  • Log records showing that IPs known to be malicious accessed the Ultimate Member registration page
  • Log records showing access from 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146, and 172.70.147.176
  • Appearance of a user account with an email address associated to “exelica.com”
  • Installation of new WordPress plugins and themes on the site

The vulnerability remains unpatched and can quickly allow unauthenticated users to automatically take over any site with the plugin installed. This means that all 200,000 installations are currently at risk.

We recommend verifying that this plugin is not installed on your site until a patch is made available and forwarding this advisory to anyone you know who manages a WordPress website.