Security News > 2023 > July > Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts

As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin.

Ultimate Member is a popular plugin that facilitates the creation of user-profiles and communities on WordPress sites.

"This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," WordPress security firm WPScan said in an alert.

"While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin," Wordfence researcher Chloe Chamberland said.

The issue came to light after reports emerged of rogue administrator accounts being added to the affected sites, prompting the plugin maintainers to issue partial fixes in versions 2.6.4, 2.6.5, and 2.6.6.

In the observed attacks, the flaw is being used to register new accounts under the names apadmins, se brutal, segs brutal, wpadmins, wpengine backup, and wpenginer to upload malicious plugins and themes through the site's administration panel.

News URL

https://thehackernews.com/2023/07/unpatched-wordpress-plugin-flaw-could.html