Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs
Hackers exploit a zero-day privilege escalation vulnerability in the ‘Ultimate Member’ WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts.
Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.
The exploited flaw, tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8 (“critical”), impacts all versions of the Ultimate Member plugin, including its latest version, v2.6.6.
While the developers initially attempted to fix the flaw in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, there are still ways to exploit the flaw. The developers have said they are continuing to work on resolving the remaining issue and hope to release a new update soon.
“We are working on the fixes related to this vulnerability since 2.6.3 version when we get a report from one of our customer,” posted one of the Ultimate Member developers.
“Versions 2.6.4, 2.6.5, 2.6.6 partially close this vulnerability but we are still working together with WPScan team for getting the best result. We also get their report with all necessary details.”
“All previous versions are vulnerable so we highly recommend to upgrade your websites to 2.6.6 and keep updates in the future for getting the recent security and feature enhancements.”
Attacks exploiting CVE-2023-3460
The attacks exploiting this zero-day were discovered by website security specialists at Wordfence, who warn that threat actors exploit it by using the plugin’s registration forms to set arbitrary user meta values on their accounts.
More specifically, attackers set the “wp_capabilities” user meta value to define their user role as administrators, granting them complete access to the vulnerable site.
The plugin has a blocklist for keys that users shouldn’t be possible to upgrade; however, bypassing this protection measure is trivial, says Wordfence.
WordPress sites hacked using CVE-2023-3460 in these attacks will show the following indicators:
- Appearance of new administrator accounts on the website
- Usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal
- Log records showing that IPs known to be malicious accessed the Ultimate Member registration page
- Log records showing access from 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11
- Appearance of a user account with an email address associated to “exelica.com”
- Installation of new WordPress plugins and themes on the site
Because the critical flaw remains unpatched and is so easy to exploit, WordFence recommends the Ultimate Member plugin be uninstalled immediately.
Wordfence explains that not even the firewall rule it specifically developed to protect its clients from this threat covers all potential exploitation scenarios, so removing the plugin until its vendor addresses the problem is the only prudent action.
If a site is found to have been compromised, based on the IoCs shared above, removing the plugin will not be enough to remediate the risk.
In those cases, website owners must run complete malware scans to uproot any remnants of the compromise, such as the rogue admin accounts and any backdoors they created.