Thousands of WordPress sites could be at risk as a vulnerability in the Ultimate Member plugin gets exploited, but a quick fix will stop your site from being taken over.
The plugin, which has amassed more than 200,000 downloads on the platform, is designed to support user signups and memberships on WordPress websites.
The vulnerability which is being tracked as CVE-2023-3460 has been awarded a score of 9.8, making it ‘critical.’ It is believed to have impacted all versions of the plugin.
Ultimate Member plugin is getting a patch ASAP
WordPress support platform user softwaregeek posted their concerns about the vulnerability, which they said “allows an unauthenticated attacker to register as an administrator and take full control of the website.”
An attacker can bypass a filter that allows them to amend the wp_capabilities record, making themselves a site admin.
Plugin Support team member andrewshu confirmed that versions 2.6.4, 2.6.5, and 2.6.6 went some way to closing the vulnerability, but users were still at risk.
Wordfence, which is credited with first sounding the alarm bells, urged the plugin’s users to uninstall the plugin until a fix had been issued. The company also announced that it had released a firewall rule to help protect some of its customers.
Later, andrewshu confirmed that version 2.6.7 had been released as a fix. Details in the plugin’s changelog confirm that this is the case:
“Fixed: A privilege escalation vulnerability used through UM Forms. Known in the wild that vulnerability allowed strangers to create administrator-level WordPress users.”
In the notes, the developer urged users to ensure that they have now updated to version 2.6.7, and to check admin-level users on their site in case they have been a victim of the exploit.
- Check out our roundup of the best WordPress hosting services