Introduction
In a recent security incident, hackers have
successfully exploited a zero-day vulnerability in the widely used Ultimate
Member WordPress plugin. This critical flaw, known as CVE-2023-3460, allows
attackers to bypass security measures and gain unauthorized access by creating
rogue administrator accounts. With over 200,000 active installations, numerous
websites are at risk of compromise. In this blog post, we will delve into the
details of this vulnerability, its impact, and the necessary steps to protect
your website.
Ultimate Member Plugin and Its
Vulnerability
Ultimate Member is a popular WordPress
plugin that empowers website administrators to create user profiles, build
communities, and manage memberships seamlessly. Unfortunately, all versions of
the plugin, including the latest version 2.6.6, are affected by the
CVE-2023-3460 vulnerability. This privilege escalation flaw allows hackers to
manipulate user meta values through the plugin's registration forms,
specifically targeting the "wp_capabilities" meta value. By modifying
this value, attackers can elevate their user role to that of an administrator,
granting them complete control over the compromised website.
Exploitation and Indicators
Security experts at Wordfence were the
first to discover attacks exploiting the CVE-2023-3460 vulnerability. Attackers
take advantage of the plugin's flawed blocklist logic, allowing them to bypass
key restrictions with ease. As a result, affected websites may experience
various indicators of compromise, including the appearance of unauthorized
administrator accounts, usernames such as "wpenginer,"
"wpadmins," "wpengine_backup," "se_brutal," and
"segs_brutal," and records of malicious IP addresses accessing the
Ultimate Member registration page. In some instances, attackers may even
install malicious plugins and themes through the compromised site's administration
panel.
The PoC for the vulnerability has not been released yet.
The Importance of Immediate Action
Given the critical nature of this
vulnerability and the ongoing exploits, it is crucial for website owners to
take immediate action to safeguard their websites. The developers of Ultimate
Member have made efforts to address the flaw in recent versions, but the fixes
have proven insufficient. Consequently, security experts strongly recommend
uninstalling the Ultimate Member plugin until a comprehensive patch is released
by the vendor. Even renowned security solutions like Wordfence cannot guarantee
full protection against all exploitation scenarios, making removal the most
prudent course of action.
Remediating the Risk
If your website has been compromised or you
suspect it may have been, simply uninstalling the plugin will not be enough to
mitigate the risk. It is essential to conduct a thorough malware scan to detect
any remnants of the compromise, such as rogue administrator accounts and
potential backdoors. Additionally, auditing all administrator-level users on
your website is advised to identify any unauthorized accounts that may have
been created by the attackers.
Conclusion
The exploitation of the CVE-2023-3460
vulnerability in the Ultimate Member WordPress plugin highlights the importance
of staying vigilant and promptly addressing security vulnerabilities. Website
administrators must prioritize the security of their sites by uninstalling the
affected plugin and conducting comprehensive security measures. Regular updates,
robust security practices, and proactive monitoring are key to safeguarding
your website and protecting it from potential cyber threats.
References
https://wordpress.org/support/topic/cve-2023-3460/
https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7
Contributed by Dhabaleshwar Das
0 Comments