Security Intelligence
Loading table of contents...
Source: Bleeping Computer
Summary
WordPress is advising its users to uninstall the popular ‘Ultimate Member’ plugin until it can develop a patch to fix a zero-day privilege escalation vulnerability. Ultimate Member is used by 200,000 WordPress sites for sign-up and community-building management. The flaw, CVE-2023-3460, allows threat actors to change their user meta value to define their role as an administrator, providing them with complete access to the site.
WordPress has released several patches to fix the vulnerability, yet hackers continue to figure out ways to compromise the plugin. Additionally, removing the Ultimate Member plugin from a compromised website is not enough to sever the threat actors’ access, as they likely would have already created back doors and other rogue admin accounts to maintain persistent access.
Analysis
WordPress is a popular content management system due to its affordability, ease of use, and repository of nearly 60,000 plugins. Unfortunately, it’s also a popular target for threat actors looking for infrastructure to host malware or serve as part of their command and control (C2) networks.
The plethora of plugins users can install into their WordPress applications are often misconfigured and not regularly updated, making them a low-hanging fruit for threat actors.
For example, in April 2023, threat actors exploited a vulnerability in Elementor Pro, another popular WordPress plugin used by over 11,000,000 websites. The flaw allowed authenticated users to change the site’s settings, including giving themselves administrator privileges that allowed them to completely take over the website.
Gaining administrator access by exploiting vulnerable plugins enables threat actors to use the WordPress site to conduct various forms of malicious activity, from stealing financial and personal information to installing and hosting malware.
Mitigation
Field Effect strongly encourages users of the Ultimate Member WordPress plugin to disable it until a conclusive patch has been released to address the vulnerability. Site admins should also investigate any recently registered administrator accounts.
