In the dynamic world of the Internet, security is of paramount importance. A recent discovery by the Wordfence team sheds light on the importance of vigilance and proactive security measures. The Ultimate Member plugin, which is in use on over 200,000 WordPress websites, has a critical vulnerability that is currently being actively exploited. This article highlights the vulnerability, its potential impact, and the recommended steps to mitigate the risk.
Wordfence Threat Intelligence Team discovered the vulnerability on 29 June 2023. The vulnerability allows attackers to register with administrator privileges on affected websites and potentially inject malicious code. So far, there is no update that fixes this vulnerability. It is strongly recommended to uninstall the plugin until a fix is available.
Table of contents
Critical vulnerability in detail
The vulnerability in the Ultimate Member plugin allows attackers to register as an administrator on a website by bypassing a predefined list of locked user keys that the plugin uses. Specifically, attackers can manipulate the "wp_capabilities" user meta values to register as an administrator. This grants them full access to the website.
Ultimate Member is a WordPress plugin that allows easy registration and account management on websites. One of the features is a registration form that users can use to sign up for an account. Unfortunately, this form allows users to set any user meta values for their account.
Although the plugin has a predefined list of locked keys, there are easy ways to bypass these filters, such as adding slashes to the user meta key. This allows attackers to set the "wp_capabilities" user meta value to "Administrator", which gives them full access to the affected website.
No update available yet
The latest version of the plugin, 2.6.6, does not provide a sufficient fix for the vulnerability. Therefore, the Wordfence team recommends uninstalling the plugin until a full fix is released.
Update to version 2.6.7 strongly recommended
The Ultimate Member plugin was fixed on 05.07.2023 with version 2.6.7. The update is strongly recommended for all users of the plugin.
Detection of a successful attack
There are certain signs that may indicate a successful attack. These include new user accounts with administrator privileges and unusual usernames, such as "wpengine", "wpadmins", "wpengine_backup", "se_brutal" and "segs_brutal". It is recommended that you also pay attention to suspicious IP addresses in the website access logs, as well as unexpected plugins and themes.
Some of the IP addresses that have been identified in connection with attacks are:
- 146.70.189.245
- 103.187.5.128
- 103.30.11.160
- 103.30.11.146
- 172.70.147.176
In addition, the domain "exelica.com" was detected in connection with user account email addresses. The complete list is on the Wordfence website to find.
Recommended measures
If a website is affected by this exploit, it is recommended to use a trusted WordPress Agency to contact (we are at your disposal). Alternatively, you can clean up the website yourself using the free Wordfence plugin.
It is important to note that the vulnerability has not been fixed yet and all 200,000 installations of the Ultimate Member plugin are currently at risk. It is strongly advised to uninstall the plugin until the vulnerability is fixed.
Conclusion
The critical vulnerability in the Ultimate Member plugin poses a serious threat to WordPress websites and is currently being actively exploited. The vulnerability allows attackers to register as administrators and perform potentially malicious actions on affected websites.
It is of utmost importance to be proactive and take appropriate security measures to protect the integrity of websites. Uninstalling the plugin until a security patch is released is currently the recommended course of action.
The security of online presences should always be a top priority. It is important to remain vigilant and stay up to date to identify potential threats and take appropriate action.
