Admins of WordPress sites who use the Ultimate Member plugin are urged to update it to the latest version to block attacks attempting to exploit multiple critical and easy to exploit vulnerabilities that could lead to site takeovers.
Ultimate Member is an extensible WordPress plugin with more than 100,000 active installations and is designed to make the task of profile and membership management easier.
The plugin provides support for creating websites allowing for easy sign-up and building online communities with custom privileges for various user roles.
Privilege escalation bugs
In a report published earlier today by Wordfence’s Threat Intelligence team, threat analyst Chloe Chamberland said that the three security flaws disclosed by Wordfence could have allowed attackers to escalate their privileges to admin ones and fully take over any WordPress site using a vulnerable Ultimate Member installation.
After disclosing the vulnerabilities to the plugin’s development team on October 26, all three privilege escalation bugs were fixed with the release of Ultimate Member 2.1.12 on October 29.
One of them is considered by Wordfence as “very critical” given that it “makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator.”
“Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware,” Chamberland explained.
Two of the bugs received a maximum CVSS severity rating of 10/10 as they are unauthenticated privilege escalation bugs via user meta (granting admin access upon registration) and user roles (admin role selected during registration).
The third one was rated 9.8/10 as it requires access wp-admin access to the site’s profile.php page but it’s still considered critical since it allows any authenticated attacker to elevate privileges to admin with very little effort.
Thousands of sites still exposed to attacks
Although Ultimate Member 2.1.12, the version that fixes the three vulnerabilities, was released on October 26, the plugin was downloaded roughly 75,000 times (with almost 32,000 of them the day after the update was released) according to historic download data, including both updates and new installs.
This means that at least 25,000 WordPress websites with active Ultimate Member installations are still potentially left exposed to attacks if threat actors will start exploiting these bugs as part of future malicious campaigns.
Ultimate Member users are urged to update the plugin to 2.1.12 as soon as possible to prevent attacks designed to take over sites running vulnerable versions of this plugin.
To put things into perspective when it comes to threat actors’ interest in hijacking WordPress sites, two months ago several of them were actively trying to take control of more than 600,000 sites running unpatched versions of the File Manager plugin.
The flaw they attempted to exploit allowed unauthenticated attackers to upload malicious PHP files and execute arbitrary code on compromised sites.
In all, researchers detected attacks trying to exploit the vulnerability originating from over 370,000 separate IP addresses, with almost no overlap in access activity.