A zero-day privilege escalation flaw in the “Ultimate Member” WordPress plugin is used by hackers to break into websites, register fake administrator accounts, and circumvent security measures.
Over 200,000 active installations of Ultimate Member, a user profile and membership plugin for WordPress sites, are helping to build communities and facilitate sign-ups.
The took advantage of imperfection, followed as CVE-2023-3460, and having a CVSS v3.1 score of 9.8 (“basic”), influences all forms of A definitive Part module, including its most recent rendition, v2.6.6.
Even though the flaw was initially addressed by the developers in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, there are still ways to take advantage of it. The developers have stated that they hope to release a new update soon and are working to resolve the remaining issue.
“We are dealing with the fixes connected with this weakness since 2.6.3 variant when we get a report from one of our client,” posted one of A definitive Part designers.
“Variants 2.6.4, 2.6.5, 2.6.6 to some degree close this weakness yet we are as yet cooperating with WPScan group for come by the best outcome. We also get their report, which has all the information we need.”
“We strongly recommend upgrading your websites to 2.6.6 and continuing to update in the future to receive the most recent security and feature enhancements because all previous versions are vulnerable.”
Attacks exploiting CVE-2023-3460
Website security experts at Wordfence identified the attacks utilizing this zero-day vulnerability and caution that threat actors may utilize the plugin’s registration forms to establish arbitrary user meta data on users’ accounts.
More particular, attackers defined their user roles as administrators in the “wp_capabilities” user meta value, giving them total access to the vulnerable website.
The plugin features a blocklist for keys that users shouldn’t be able to update; nonetheless, Wordfence claims that it is simple to get around this security barrier.
WordPress sites hacked using CVE-2023-3460 in these attacks will show the following indicators:
- Appearance of new administrator accounts on the website
- Usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal
- Log records showing that IPs known to be malicious accessed the Ultimate Member registration page
- Log records showing access from 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124
- Appearance of a user account with an email address associated to “exelica.com”
- Installation of new WordPress plugins and themes on the site
WordFence advises that the Ultimate Member plugin be deleted right now because the serious vulnerability is still present and is so simple to exploit.
According to Wordfence, unless the issue is resolved by the plugin’s seller, deleting the plugin is the only sensible course of action. Wordfence claims that even the firewall rule it designed particularly to safeguard its clients from this vulnerability does not cover all potential exploitation scenarios.
According to the IoCs given above, if a site is discovered to have been hacked, deleting the plugin won’t be sufficient to address the danger.
In certain circumstances, website owners must do thorough malware scans to remove any evidence of the hack, including any backdoors and rogue admin accounts that may have been installed.