The Ultimate Member WordPress plugin, which boasts over 200,000 active installations, is currently being actively exploited on unpatched WordPress sites. This vulnerability is reportedly easy to bypass.
Ultimate Member Plugin Vulnerability
The Ultimate Member WordPress plugin allows publishers to build online communities on their websites.
The plugin facilitates user sign-ups and the creation of user profiles seamlessly. It is especially popular among membership sites.
The free version offers a wide range of features including:
Front-end user profiles, registration, login, and the ability to create member directories.
However, the plugin also had a critical flaw that allowed site visitors to create member profiles with near-administrator level privileges.
The WPScan security database highlighted the severity of the vulnerability:
“The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will.
This is actively being exploited in the wild.”
Failed Security Update
The vulnerability was discovered in late June 2023, prompting the Ultimate Member team to respond swiftly with a patch.
This patch, released in version 2.6.5 on June 28th, attempted to close the vulnerability.
The official changelog stated:
“Fixed: A privilege escalation vulnerability used through UM Forms.
Known in the wild, this vulnerability allowed strangers to create administrator-level WordPress users.
Please update immediately and check all administrator-level users on your website.”
However, the fix did not completely solve the issue, and websites continued to be exploited.
On June 29th, security researchers at Wordfence analyzed the plugin and concluded that the patch was ineffective. They detailed their findings in a blog post:
“Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.”
The issue was so problematic that Wordfence described the effort required to hack the plugin as trivial.
Wordfence explained:
“While the plugin has a preset defined list of banned keys that a user should not be able to update, there are trivial ways to bypass these filters, such as using various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.
This enables attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to ‘administrator’.
This grants the attacker complete access to the vulnerable site when successfully exploited.”
The Administrator user level is the highest access level on a WordPress site.
This exploit is particularly concerning because it is an “Unauthenticated Privilege Escalation,” meaning that a hacker doesn’t need any prior access to the website to exploit the plugin.
Ultimate Member Apologizes
The team at Ultimate Member issued a public apology, providing a full account of the events and their actions to address the issue.
Unlike many companies, Ultimate Member was commendable in being upfront with their users about the security incidents.
They wrote:
“Firstly, we want to apologize for the vulnerabilities in our plugin’s code and to any website that has been impacted or experienced concern over these vulnerabilities.
As soon as we were informed of these security issues, we immediately began updating the code to patch them.
We have released several updates since the disclosure as we worked through the vulnerabilities, and we want to give a big thank you to the team at WPScan for their assistance and guidance after they disclosed the vulnerabilities to us.”
Users of the Plugin Urged to Update Immediately
WPScan’s security researchers urged all users of the plugin to update their sites to Version 2.6.7 immediately.
WPScan’s special announcement noted:
“A new version, 2.6.7, was released this weekend and fixes the issue.
If you use Ultimate Member, update to this version as soon as possible.
This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites.”
This vulnerability is rated 9.8 on a scale of 1 to 10, with ten being the most severe.
Users of the plugin are highly recommended to update immediately.
Featured image by Shutterstock
