A vulnerability found in the Ultimate Member plugin has the potential to exploit thousands of WordPress sites, putting them at risk. However, implementing a quick fix can prevent your site from being compromised and taken over.
The plugin, which has amassed more than 200,000 downloads on the platform, is designed to support user signups and memberships on WordPress websites.
The vulnerability, identified as CVE-2023-3460, has received a critical severity score of 9.8. This vulnerability is believed to have affected all versions of the plugin.
Concerns regarding the vulnerability were expressed by softwaregeek, a user on the WordPress support platform. According to their statement, the vulnerability enables an unauthenticated attacker to register as an administrator and gain complete control over the website.
An attacker can bypass a filter that allows them to amend the wp_capabilities record, making themselves a site admin.
According to the Plugin Support team member andrewshu, versions 2.6.4, 2.6.5, and 2.6.6 of the plugin attempted to address the vulnerability, but users still remained vulnerable to potential risks.
Wordfence, the organization credited with raising the initial alarm, advised users of the plugin to uninstall it until a fix was made available. Additionally, Wordfence announced the release of a firewall rule to provide added protection for some of its customers.
In the release notes, the developer emphasized the importance for users to promptly update to version 2.6.7. Additionally, they advised users to thoroughly review the admin-level users on their site to verify if any of them have fallen victim to the exploit.