uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-07-01 22:55:03

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Unpatched WordPress Plugin Flaw Used by Hackers to Create Secret Admin

7Q1GOJ3.png
Up to 200,000 WordPress websites could be targeted by ongoing attacks that take advantage of a seriously unpatched security hole in the Ultimate Member plugin.

The vulnerability designated CVE-2023-3460 (CVSS score: 9.8), affects all variations of the Ultimate Member plugin, including the most recent version (2.6). 6 that was made public on June 29, 2023.

A well-liked plugin called Ultimate Member makes it easier to create user profiles and communities on WordPress websites. Additionally, it offers tools for account management.

WordPress security company WPScan issued an alert stating, "This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites.

Although specifics of the flaw have been withheld due to active abuse, it was caused by insufficient blocklist logic implemented to change a new user's wp_capabilities user meta value to that of an administrator and gain full access to the website.

According to Wordfence researcher Chloe Chamberland, "the plugin has a preset defined list of banned keys, that a user should not be able to update, but there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.".

When reports of rogue administrator accounts being added to the affected sites surfaced, the problem became apparent, leading the plugin maintainers to release partial fixes in versions 2.6. 4, 2.6. 5, as well as 2.6. 6. Within the next few days, a fresh update is anticipated.

In its release notes, Ultimate Member identified the issue as "a privilege escalation vulnerability used through UM Forms.". It was widely known that vulnerability made it possible for uninvited guests to create WordPress administrators. ".

However, WPScan noted that the patches are insufficient and that it discovered numerous ways to get around them, indicating that the vulnerability is still actively exploitable.

In the attacks that have been seen, the vulnerability is being used to set up new accounts with the usernames apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer in order to upload malicious plugins and themes via the site's administration panel.

Ultimate Member users are advised to deactivate the plugin until a suitable patch that fully closes the security hole is made available. Auditing every website administrator user to see if any unauthorized accounts have been added is also advised.

Offline

Board footer

Powered by FluxBB