Critical security flaw in the Ultimate Member Plugin threatens WordPress websites

In the dynamic world of the Internet, security is of utmost importance. One current discovery by the Wordfence team highlights the importance of vigilance and proactive security measures. The Ultimate Member Plugin, used on over 200,000 WordPress websites, has a critical security vulnerability that is currently being actively exploited. This article highlights the vulnerability, its potential impact, and recommended steps to mitigate the risk. The Wordfence Threat Intelligence Team discovered the vulnerability on June 29, 2023. The vulnerability allows attackers to register with administrator rights on affected websites and potentially inject malicious code. So far there is no update that fixes this vulnerability. It is strongly recommended that you uninstall the plugin until a solution is available.

Critical security vulnerability in detail

The vulnerability in the Ultimate Member plugin allows attackers to register as an administrator on a website by bypassing a predefined list of blocked user keys that the plugin uses. In particular, attackers can manipulate the user meta values ​​“wp_capabilities” to register as an administrator. This grants them full access to the website. Ultimate Member is a WordPress plugin that enables easy registration and account management on websites. One of the features is a registration form that users can use to sign up for an account. Unfortunately, this form allows setting arbitrary user meta values ​​for their account. Although the plugin has a predefined list of blocked keys, there are easy methods to bypass these filters, such as: B. adding slashes to the user meta key. This allows attackers to set the “wp_capabilities” user meta value to “Administrator”, granting them full access to the affected website.

No update available yet

The latest version of the plugin, 2.6.6, does not provide a sufficient fix for the vulnerability. The Wordfence team therefore recommends uninstalling the plugin until a full fix is ​​released.

Update to version 2.6.7 strongly recommended

The Ultimate Member Plugin was fixed on July 5th, 2023 with version 2.6.7. The update is strongly recommended for all users of the plugin.

Detecting a successful attack

There are certain signs that can indicate a successful attack. These include new user accounts with administrative privileges and unusual usernames such as “wpengine,” “wpadmins,” “wpengine_backup,” “se_brutal,” and “segs_brutal.” It is recommended to also pay attention to suspicious IP addresses in the website access logs, as well as unexpected plugins and themes. Some of the IP addresses identified in connection with attacks include:

• 146.70.189.245
• 103.187.5.128
• 103.30.11.160
• 103.30.11.146
• 172.70.147.176

In addition, the domain “exelica.com” was discovered in connection with user account email addresses. The complete list is on the Wordfence website to find.

Recommended actions

If a website is affected by this exploit, it is recommended to use a trusted one WordPress agency to contact (we are happy to assist you). Alternatively, you can clean the website yourself using the free Wordfence plugin. It is important to note that the vulnerability has not yet been patched and all 200,000 installations of the Ultimate Member Plugin are currently at risk. It is strongly recommended that you uninstall the plugin until the security vulnerability is fixed.

Conclusion

The critical vulnerability in the Ultimate Member Plugin poses a serious threat to WordPress websites and is currently being actively exploited. The vulnerability allows attackers to register as administrators and perform potentially malicious actions on affected websites. It is of utmost importance to be proactive and take appropriate security measures to protect the integrity of websites. Uninstalling the plugin until a security patch is released is currently the recommended approach. The security of online presences should always be a top priority. It is important to remain vigilant and stay informed to identify potential threats and take appropriate action.