Security flaw puts 200,000 WordPress websites at risk

According to The Hacker News , the vulnerability, tracked as CVE-2023-3460 (CVSS score 9.8), exists in all versions of the Ultimate Member plugin, including the latest version (2.6.6) released on June 29, 2023.

Ultimate Member is a popular plugin for creating user profiles and communities on WordPress websites. It also offers account management features.

WPScan - WordPress security company said this security flaw is so serious that attackers can exploit them to create new user accounts with administrative privileges, giving hackers complete control over affected websites.

Details of the vulnerability have been withheld due to concerns about abuse. Security experts from Wordfence describe that although the plugin has a list of banned keys that users cannot update, there are simple ways to bypass the filters such as using slashes or character encoding in the value provided in versions of the plugin.

The security flaw was disclosed after reports of fake admin accounts being added to affected websites. This prompted the plugin developers to release partial fixes in versions 2.6.4, 2.6.5, and 2.6.6. A new update is expected in the coming days.

Ultimate Member said in the new release that the privilege escalation vulnerability was used through UM Forms, allowing an unauthorized person to create an administrator-level WordPress user. However, WPScan pointed out that the patches were incomplete and found multiple ways to circumvent them, meaning the bug could still be exploited.

The vulnerability is being used to register new accounts under the names apads, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to upload malicious plugins and themes via the website's admin panel. Ultimate Members are advised to disable plugins until a full patch for this vulnerability is available.