The vulnerability in the WordPress plugin “Ultimate Member” allows the complete takeover of the website
The Ultimate Member WordPress plugin vulnerability with over 200,000 active installs is actively exploited on unpatched WordPress sites. The vulnerability is said to require minor effort to bypass security filters.
Ultimate Vulnerability in Members Plugin
The Ultimate Member WordPress plugin allows publishers to create online communities on their websites.
The plugin works by creating a smooth process for user logins and user profile creation. It’s a popular plugin, especially for membership sites.
The free version of the plugin has a generous feature set, including:
Frontend user profiles, registration, login and publisher can also create member directories.
The plugin also contained a critical bug that allowed a site visitor to create member profiles with essentially administrative privileges.
The security database WPScan describes the severity of the vulnerability:
“The plugin doesn’t prevent visitors from creating user accounts with arbitrary functionality, effectively allowing attackers to create admin accounts at will.”
This is actively exploited in the wild.”
Failed security update
The vulnerability was discovered in late June 2023 and Ultimate Member publishers quickly responded with a patch to close the vulnerability.
This patch for the vulnerability was released in version 2.6.5 released on June 28th.
The official changelog for the plugin states:
“Fixed a security vulnerability in privilege escalation exploited via UM Forms.
It is widely known that the vulnerability allows strangers to create admin-level WordPress users.
Please update immediately and verify all admin level users on your site.”
However, this fix did not completely close the vulnerability and hackers continued to exploit it on websites.
Wordfence security researchers analyzed the plugin and found on June 29th that the patch was indeed not working, describing their findings in a blog post:
“Upon further investigation, we discovered that this vulnerability is being actively exploited and has not been adequately patched in the latest available version, which is 2.6.6 at the time of writing.”
The problem was so bad that Wordfence called the effort to hack the plugin trivial.
Wordfence explains:
“While the plugin has a default list of blocked keys that a user cannot update, there are trivial ways to bypass established filters, e.g. B. Using different case, forward slash, and character encoding in a provided meta key value in vulnerable versions of the plugin.
This allows attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to “Administrator”.
This grants the attacker full access to the vulnerable website if exploited successfully.”
The Administrator user level is the highest level of access to a WordPress site.
What makes this exploit particularly concerning is the fact that it is an “unauthenticated privilege escalation”, meaning that a hacker does not need any website access level to hack the plugin.
Ultimate member apologizes
The Ultimate Member team released a public apology to its users, detailing everything that happened and how they responded.
It should be noted that most companies issue a patch and remain silent. Therefore, it is commendable and responsible that Ultimate Member openly informs its customers about security incidents.
UltimateMember wrote:
“First of all, we would like to apologize for these vulnerabilities in our plugin’s code, as well as to all affected websites, and thank you for the concern that the knowledge of the vulnerabilities may have caused.
As soon as we became aware that security vulnerabilities were discovered in the plugin, we immediately started updating the code to close the vulnerabilities.
We have released several updates since disclosure while working on the vulnerabilities and we would like to give a big thank you to the team at WPScan for their support and guidance after they contacted us to disclose the vulnerabilities.”
Plugin users will be prompted to update immediately
The security researchers at WPScan urge all users of the plugin to update their sites to version 2.6.7 immediately.
A special announcement from WPScan states:
Hacking campaign actively exploits Ultimate Member plugin
“A new version, 2.6.7, was released this weekend and fixes the issue.
If you are using Ultimate Member, update to this version as soon as possible.
This is a very serious issue: Unauthenticated attackers can exploit this vulnerability to create new user accounts with administrative privileges, thereby taking complete control over affected websites.”
The vulnerability is rated 9.8 on a scale of 1 to 10, with 10 being the most severe.
Users are strongly advised to update the plugin immediately.
Featured image from Shutterstock/pedrorsfernandes