The Wordfence’s Threat Intelligence team has reported three critical vulnerabilities in a WordPress plugin that puts almost 100,000 sites at risk.
Named as Ultimate Member, this plugin is intended to set various access levels to site visitors. The three bugs reported could potentially let anyone with minimal access gain admin privileges. A patch for these bugs is available.
WordPress Plugin Puts 100K Sites at Risk.
One of the popular WordPress plugins, Ultimate Member, was reported to have three vulnerabilities ranked severe to serious. Wordfence’s Threat Intelligence team, who earlier surfaced similar bugs in Newsletter, Google Site Kit plug-ins, documented these. They said two of the three bugs have a severity score of 10/10, and the other with 9.8/10.
All the three bugs can be exploited by hackers to gain escalated privileges, with two by unauthenticated users (thus 10/10 severity) and one by authenticated users (thus 9.8/10 score).
Found in the Ultimate Member plugin, it’s used for managing the site membership of users. It can control the permissions given to users, like allowing only the paid subscribers to view exclusive content, etc.
The report said the high severity bugs would allow unauthenticated users like the ones who pinged through contact forms to gain admin-level privileges to the site.
Further, the authenticated bug needs the attacker to access the wp-admin page and similarly grant them admin privileges. Attaining them means having the right to do whatever they wish to the site.
As Wordfence described, any user with the admin level privilege can install the desired plugin, remove any features, change others roles, infect with malware, and even take down the site completely.
These bugs were reported to the Ultimate Member team on October 26th, and they have responded with a patch update on October 29th. It’s recommended to update for the latest version of 2.1.12.