Researchers have spotted the threat actors are exploiting a critical unpatched security vulnerability in the WordPress Ultimate Member plugin.
The flaw, tracked as CVE-2023-3460 with a CVSS score: 9.8, impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023.
Ultimate Member is a popular plugin that facilitates the creation of user-profiles and communities on WordPress sites. It also provides account management features.It is used widely in 200,000 sites.
An unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites.
The details about the flaw have been withheld due to active exploitation, it stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator and gain full access to the site.
The issue came to light after reports emerged of rogue administrator accounts being added to the affected sites, prompting the plugin maintainers to issue partial fixes in versions 2.6.4, 2.6.5, and 2.6.6.
Researchers pointed out that the patches are incomplete and that it found numerous methods to circumvent them, meaning the issue is still actively exploitable.
The flaw is being used to register new accounts under the names apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to upload malicious plugins and themes through the site’s administration panel.
- Disable the plugin until a proper patch that completely plugs the security hole is made available.
- Audit all administrator-level users on the websites to determine if any unauthorized accounts have been added.