Critical Security Flaw in Ultimate Member WordPress Plugin Leaves Over 200,000 Sites at Risk

• WordPress website owners must exercise caution as the ‘Ultimate Member’ plugin is under attack, with hackers exploiting a critical zero-day privilege escalation vulnerability to create rogue administrator accounts.
• It is imperative for users to update to the latest version of the Ultimate Member plugin, vigilantly monitor for any unusual activity, and conduct comprehensive security scans to safeguard their websites from potential compromises.

WordPress website owners are urged to be on high alert as hackers are exploiting a zero-day privilege escalation vulnerability in the ‘Ultimate Member’ WordPress plugin. This exploit allows attackers to compromise websites by bypassing security measures and creating rogue administrator accounts.

Ultimate Member, a popular plugin with over 200,000 active installations, streamlines user profiles, membership sign-ups, and community building on WordPress sites.

A Glimpse into the Vulnerability

The exploited flaw, known as CVE-2023-3460, has received a 9.8 score on the CVSS v3.1 scale, indicating a critical threat level. Shockingly, it impacts all versions of the Ultimate Member plugin, including the latest release, v2.6.6.

While developers made attempts to fix the vulnerability in versions 2.6.3 to 2.6.6, it was disclosed that the flaw could still be exploited. The developers are actively working on a comprehensive fix.

“We have been working on fixes related to this vulnerability since version 2.6.3 when we received a report from one of our customers,” posted an Ultimate Member developer.

“We partially closed this vulnerability in versions 2.6.4, 2.6.5, and 2.6.6 but are still working together with the WPScan team to ensure a robust solution. We have also received their report with all necessary details.”

“All previous versions are vulnerable, so we highly recommend upgrading your websites to 2.6.6 and keeping updates in the future for the latest security and feature enhancements.”

The Exploit Explained

The Ultimate Member plugin includes a registration form feature. Unfortunately, attackers can exploit this form to register and set arbitrary user meta values for their account. While there is a predefined list of banned keys, filters can be bypassed by employing various cases, slashes, and character encoding in a supplied meta key value in the vulnerable versions of the plugin.

The attackers can thus manipulate the wp_capabilities user meta value, which controls the user’s role on the site, and set it to ‘administrator’, granting them full access to the compromised site.

Recognizing Indicators of Compromise

While the attack data is still limited, there are several indicators of a compromised website:

1. New user accounts created with administrator privileges. Keep an eye on usernames such as ‘wpenginer’, ‘wpadmins’, ‘wpengine_backup’, ‘se_brutal’, and ‘segs_brutal’.
2. Access log entries showing attackers accessing a compromised site’s Ultimate Member registration page, which is typically set on the /register path.
3. Check for the following IP Addresses in site’s access logs or in Wordfence plugin’s live traffic feed:
   • 146.70.189.245
   • 103.187.5.128
   • 103.30.11.160
   • 103.30.11.146
   • 172.70.147.176
4. Look for the domain ‘exelica.com’ associated with user account email addresses.
5. Presence of plugins and themes that were not installed previously.

Website owners using the Ultimate Member plugin are strongly urged to keep their installations updated and monitor their sites for these indicators. Running a comprehensive Wordfence malware scan is also recommended to ensure the integrity of your website.