Security News > 2023 > June > Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs
Hackers exploit a zero-day privilege escalation vulnerability in the 'Ultimate Member' WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts.
Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.
The exploited flaw, tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8, impacts all versions of the Ultimate Member plugin, including its latest version, v2.6.6.
Because the critical flaw remains unpatched and is so easy to exploit, WordFence recommends the Ultimate Member plugin be uninstalled immediately.
Hackers target vulnerable Wordpress Elementor plugin after PoC released.
Hackers target Wordpress plugin flaw after PoC exploit released.
News URL
Related news
- Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials (source)
- Hackers exploit Roundcube webmail flaw to steal email, credentials (source)
- Over 70 zero-day flaws get hackers $1 million at Pwn2Own Ireland (source)
- LiteSpeed Cache WordPress plugin bug lets hackers get admin access (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-04 | CVE-2023-3460 | Unspecified vulnerability in Ultimatemember Ultimate Member The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. | 9.8 |