Security News > 2023 > June > Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs
Hackers exploit a zero-day privilege escalation vulnerability in the 'Ultimate Member' WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts.
Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.
The exploited flaw, tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8, impacts all versions of the Ultimate Member plugin, including its latest version, v2.6.6.
Because the critical flaw remains unpatched and is so easy to exploit, WordFence recommends the Ultimate Member plugin be uninstalled immediately.
Hackers target vulnerable Wordpress Elementor plugin after PoC released.
Hackers target Wordpress plugin flaw after PoC exploit released.
News URL
Related news
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- LiteSpeed Cache WordPress plugin bug lets hackers get admin access (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-07-04 | CVE-2023-3460 | Unspecified vulnerability in Ultimatemember Ultimate Member The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. | 9.8 |