Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts

Source: The Hacker News - Link to Article

The Hacker News reports on an ongoing attack that exploits a critical unpatched security vulnerability in the Ultimate Member plugin, putting as many as 200,000 WordPress websites at risk.

The vulnerability, identified as CVE-2023-3460 (CVSS score: 9.8), affects all versions of the Ultimate Member plugin, including the latest version 2.6.6 released on June 29, 2023.

Ultimate Member is a popular WordPress plugin that facilitates the creation of user profiles and communities while offering account management features.

According to WPScan, a WordPress security firm, this issue is extremely serious as unauthenticated attackers can exploit the vulnerability to create new user accounts with administrative privileges, granting them full control over the affected sites.

Although specific details about the flaw have been withheld to prevent further abuse, it stems from inadequate blocklist logic used to modify the wp_capabilities user meta value of a new user and gain complete access to the site.

Chloe Chamberland, a researcher from Wordfence, explains that while the plugin has a predefined list of banned keys that users should not be able to update, vulnerable versions of the plugin can be manipulated using various cases, slashes, and character encoding to bypass the implemented filters.

Reports emerged after rogue administrator accounts were discovered on affected sites, leading the plugin maintainers to release partial fixes in versions 2.6.4, 2.6.5, and 2.6.6. A comprehensive patch is expected to be released soon.

WPScan warns that the current patches are incomplete and they have found multiple methods to circumvent them, indicating that the vulnerability is still actively exploitable.

In observed attacks, hackers are leveraging the flaw to register new accounts with names such as apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer. These accounts are then used to upload malicious plugins and themes via the site’s administration panel.

Users of the Ultimate Member plugin are strongly advised to disable it until a proper patch that fully addresses the security hole is made available. It is also recommended to review all administrator-level users on their websites to check for any unauthorized accounts.

Ultimate Member Version 2.6.7 Released To address the actively exploited privilege escalation flaw, the authors of Ultimate Member have released version 2.6.7 of the plugin on July 1. As an additional security measure, they plan to introduce a new feature that will enable website administrators to reset passwords for all users.

“In version 2.6.7, we have introduced whitelisting for meta keys stored while sending forms,” stated the plugin maintainers in an independent advisory. “Additionally, 2.6.7 separates form settings data and submitted data and operates them in two different variables.”

Disclaimer: The above blog post is a summary of an article from The Hacker News. For more details and the full content, please refer to the original article.