Security News > 2020 > November > WordPress plugin bugs can let attackers hijack up to 100K sites
Admins of WordPress sites who use the Ultimate Member plugin are urged to update it to the latest version to block attacks attempting to exploit multiple critical and easy to exploit vulnerabilities that could lead to site takeovers.
In a report published earlier today by Wordfence's Threat Intelligence team, threat analyst Chloe Chamberland said that the three security flaws disclosed by Wordfence could have allowed attackers to escalate their privileges to admin ones and fully take over any WordPress site using a vulnerable Ultimate Member installation.
"Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware," Chamberland explained.
Ultimate Member users are urged to update the plugin to 2.1.12 as soon as possible to prevent attacks designed to take over sites running vulnerable versions of this plugin.
To put things into perspective when it comes to threat actors' interest in hijacking WordPress sites, two months ago several of them were actively trying to take control of more than 600,000 sites running unpatched versions of the File Manager plugin.