July 1, 2023

Ultimate Members Exploit targets over 200K Websites

Ultimate Members Exploit targets over 200K Websites

An Ultimate Members Exploit targets over 200K Websites, unmasking a critical vulnerability. The plugin, designed to simplify user registration and login, has inadvertently opened the door to unauthenticated attackers, allowing them to create new user accounts with administrative privileges. Read on to learn about the nature of this exploit, its implications, and the steps taken to address it.

The Ultimate Members Exploit Explained

The security flaw tracked as CVE-2023-3460 with a CVSS score of 9.8, lies in the conflict between the Ultimate Member’s blocklist logic and how WordPress treats metadata keys. In simpler terms, the plugin uses a list of user metadata keys (think of them as labels or tags) that users should not manipulate. However, due to a loophole, attackers were able to trick the plugin into updating some keys it shouldn’t, like “wp_capabilities”, which is used to store a user’s role and capabilities.

The Exploit in Action

The typical attacks observed generally involve the following steps:

  1. An initial POST request is made to the plugin’s user registration page, which is typically “/register.”
  2. The attacker then attempts to log in with the newly created account using the “/wp-login.php” page.
  3. Finally, a malicious plugin is uploaded through the site’s administration panel.

Common usernames for malicious accounts created during the recent attack wave include “apadmins”, “wpadmins”, “wpenginer”, and “segs_brutal”. Other indicators of compromise include malicious plugins, themes, and code additions.

The Response

In response to the vulnerability report, the plugin’s creators promptly released new versions, 2.6.4, 2.6.5, and 2.6.6, intending to fix the problem. However, these updates were found to be insufficient as the issue remained fully exploitable.

Conclusion and Actionable Advice

Given the severity of the issue, it is recommended that site owners disable the Ultimate Member plugin until a comprehensive patch is available. Here’s how you can do it:

  1. Log in to your WordPress dashboard.
  2. Navigate to ‘Plugins’.
  3. Find ‘Ultimate Member’ in your list of installed plugins.
  4. Click ‘Deactivate’.

In addition, site owners should also audit all administrator roles on their sites to identify rogue accounts. Regularly update your plugins and themes, and always maintain a recent site backup.

Welcome back!
Enter your Helwp credentials to sign in.

No Account yet? Sign Up

My Account
Give Feedback
Describe your feedback *
Rate Helwp
Problem *
Describe the problem
Want us to reply?
Your E-Mail
Affiliate Disclosure

At Helwp, we’re committed to transparency and honesty. Therefore, we want to inform you that some of the links on our website are affiliate links. This means that, at no additional cost to you, we may earn a small commission if you click through and make a purchase.

We only promote products or services that we genuinely believe in. These affiliate commissions help us to maintain the website and continue to provide you with free, high-quality WordPress content.

If you are interested in how you can support us even further, check out our support page.