Security News > 2023 > June > Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs

Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs
2023-06-30 19:49

Hackers exploit a zero-day privilege escalation vulnerability in the 'Ultimate Member' WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts.

Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.

The exploited flaw, tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8, impacts all versions of the Ultimate Member plugin, including its latest version, v2.6.6.

Because the critical flaw remains unpatched and is so easy to exploit, WordFence recommends the Ultimate Member plugin be uninstalled immediately.

Hackers target vulnerable Wordpress Elementor plugin after PoC released.

Hackers target Wordpress plugin flaw after PoC exploit released.


News URL

https://www.bleepingcomputer.com/news/security/hackers-exploit-zero-day-in-ultimate-member-wordpress-plugin-with-200k-installs/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-07-04 CVE-2023-3460 Unspecified vulnerability in Ultimatemember Ultimate Member
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will.
network
low complexity
ultimatemember
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 93 44 18 157
Plugin 2 0 13 1 0 14