Wordfence researchers note a zero-day bug in the Ultimate Member plug-in that affects 200,000 WordPress websites installed.
Though the concerned developers made a patch update available, it’s insufficient to protect the websites using this plug-in, as it still has flaws. So until a reliable plugin is available, researchers advise the site admins to remove the Ultimate Member plugin and scan their sites for possible compromise.
No Patch For a Security Bug
Ultimate Member, a WordPress plugin with simple UI for creating advanced online communities and membership groups, has a zero-day bug – tracked as CVE-2023-3460, Rated 9.9/10 severity score; Wordfence security researchers said the flaw could let anyone gain administrator privileges of a targeted site quickly.
All the attacker needs to do is to fill the plugin’s registration forms with arbitrary user meta values that will eventually grant them special access to the host site. For example, setting the “wp_capabilities” user meta value on Ultimate Member’s registration form will define their user role as administrators, thus letting them perform significant actions on the underlying site.
Though the plugin developers tried to patch this bug with an update, researchers note a workaround is still available. Asking the site admins to keep the plugin on v2.6.6, developers said they’re working on releasing yet another update with a suitable patch soon.
But this is still dangerous, exposing the site to hackers until a reliable patch. Thus, Wordfence recommends removing the plug-in until a reliable patch is available, and site admins should scan their websites for possible compromises already. Here’s the list to determine them;
- Usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal.
- Appearance of new administrator accounts on the website.
- Log records showing access from 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, and 188.8.131.52, or any Log records showing that IPs known to be maliciously accessing the Ultimate Member registration page.
- Appearance of a user account with an email address associated to “exelica.com“.
- Installation of new WordPress plugins and themes on the site.
If you think any of the above is linked to your site, assume it’s compromised and start working on remedial measures. This includes removing any fraudulent admin accounts and backdoors they may have created in your WordPress site.