Vulnerability in Ultimate Member WordPress Plugin Allows Full Site Takeover

Ultimate Member Plugin Vulnerability

Summary

• The Ultimate Member WordPress plugin, used for creating online communities, has a vulnerability that allows attackers to create administrator-level accounts.
• A patch was released to fix the vulnerability, but it was not effective, and hackers are actively exploiting it.
• The exploit is classified as an “Unauthenticated Privilege Escalation,” meaning hackers don’t need any website access to exploit it.
• The team at Ultimate Member has apologized for the vulnerabilities and has been working on updates to address the issue.
• Users of the plugin are urged to update to version 2.6.7 immediately to protect their sites.
• The vulnerability is rated 9.8 out of 10 in terms of severity.

(Update as of July 3, 2024): A new version, 2.6.5 of ultimate member plugin, has been released previous weekend, addressing the issue. If you’re using Ultimate Member, update to this version immediately. Hackers are actively exploiting a vulnerability in the Ultimate Member WordPress plugin, which has over 200,000 active installations on unpatched WordPress sites. They claim that bypassing security filters requires trivial effort.

A recent discovery has shed light on a significant vulnerability in the popular Ultimate Member WordPress plugin, raising concerns about cybersecurity and wordpress vulnerabilities. For those unfamiliar, WordPress is a widely used content management system for website creation, while plugins are add-ons that enhance the functionality of WordPress sites. The Ultimate Member plugin specifically caters to online communities, enabling users to register, login, and interact with each other on websites. However, this newfound vulnerability has exposed potential risks for website owners who rely on this plugin.

“The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.” WPScan

Ultimate Member WordPress Plugin

The Ultimate Member Plugin is a powerful and versatile tool designed to enhance WordPress websites by enabling seamless user profile creation, advanced member management, and dynamic community building. Developed to meet the evolving needs of website owners and administrators, this plugin has gained immense popularity due to its user-friendly interface and extensive features.

Features and Functionality

• User Profile Creation: With Ultimate Member, website owners can effortlessly enable user registration and profile creation on their WordPress sites. Users can easily sign up, log in, and edit their profiles, ensuring a personalized and interactive experience within the online community.
• Customizable User Profiles: This plugin allows administrators to create and customize user profiles based on the specific needs of their websites. From simple fields like name, email, and bio, to more advanced options like social media links, profile pictures, and custom fields, the possibilities are virtually limitless.
• Member Directories: The Ultimate Member Plugin facilitates the creation of member directories, allowing users to find and connect with each other more effectively. Whether it’s a professional network, an interest-based community, or an online dating platform, member directories enhance user engagement and foster a sense of belonging.
• User Roles and Permissions: Administrators can define various user roles and set permissions to control access to specific content or functionalities. This feature is particularly useful for sites that require different levels of access, such as membership sites, online forums, or e-learning platforms.
• Front-end User Account Management: Ultimate Member enables users to manage their accounts and perform actions directly from the front-end of the website. This means users can edit their profiles, update account information, and even reset passwords without the need to navigate to the WordPress backend.
• Social Networking Integration: The plugin seamlessly integrates with popular social networking platforms, allowing users to log in or register using their existing social media accounts. This feature streamlines the registration process and encourages higher user engagement.
• Extensibility with Add-ons: Ultimate Member offers a range of add-ons that expand its functionalities even further. These add-ons provide options like private messaging, user reviews, user-generated content, content restriction, and much more, making the plugin adaptable to a wide range of website requirements.

Ultimate Member Plugin Purpose

The primary purpose of the Ultimate Member Plugin is to transform your WordPress site into a thriving online community. It empowers website owners, developers, and administrators to create a welcoming and interactive platform where users can register, connect, and engage with each other effortlessly.

By simplifying user profile creation, enabling social login options, and offering a myriad of customization possibilities, the plugin ensures a seamless user experience, thereby increasing user retention and community growth.

Understanding the Vulnerability in Ultimate Member Plugin

Plugin Vulnerability Description

Researchers have discovered a critical privilege escalation vulnerability, designated as CVE-2024-3460, in the popular Ultimate Member WordPress Plugin, which is commonly used for user profile management. This flaw allows bad actors to exploit a zero-day loophole, bypass regular security measures, and escalate their privileges within the WordPress site.

Vulnerability Summary

Description: Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates
Affected Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: <= 2.6.6
CVE ID: CVE-2024-3460
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Marc-Alexandre Montpas
Fully Patched Version: NONE

Attackers can leverage this vulnerability to gain administrative access, potentially compromising user data and taking control of the entire website. As a result, data breaches, unauthorized content modifications, and complete wordpress website hijacking become plausible risks. Due to the wide usage of this plugin across diverse industries, ranging from personal blogs to large-scale e-commerce platforms, the potential exposure to this vulnerability is substantial.

Plugin Vulnerability Impact on WordPress

The CVE-2024-3460 vulnerability presents severe ramifications for affected websites. Malicious actors can exploit this flaw to compromise user data, leading to privacy violations and potential identity theft. Moreover, they can gain unauthorized access to wordpress administration, enabling them to manipulate content, distribute malware, and disrupt services. Compromised websites may suffer damage to their reputation, resulting in loss of trust and potential financial repercussions.

Affected Version of Ultimate Member Plugin

In late June 2024, security researchers discovered the vulnerability, and the publishers of Ultimate Member quickly responded by releasing a patch to close the vulnerability. The vulnerability impacts versions 2.6.5 of the Ultimate Member WordPress Plugin published on June 28th.

Solution of Vulnerability in Ultimate Member Plugin

A new version, 2.6.7, was released this weekend, and fixes the issue. If you use Ultimate Member, update to this version as soon as possible.

This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites. WPScan

WPScan, the security researchers, are urging all users of the plugin to update their sites to Version 2.6.7 without delay. On a scale of 1 to 10, this vulnerability rates 9.8, signifying the most critical level. It is of utmost importance that users of the plugin perform an immediate update.

A better practice is to use allowlists, which explicitly approve specific inputs and reject anything that doesn’t match the list. This generally provides a more robust security measure.

Unfortunately, differences between Ultimate Member’s blocklist logic and how WordPress handles metadata keys made it possible for attackers to deceive the plugin into updating certain keys it shouldn’t, such as “wp_capabilities,” which stores a user’s role and capabilities.

Indicators of Compromise

Throughout observations, we have detected several IP addresses that were actively attacking sites:

13.115.254.242
18.183.89.3
43.207.157.215
52.77.211.128
54.204.198.153
54.238.232.81
73.85.149.184
103.30.11.160
103.30.41.32
103.187.5.128
123.148.137.93
149.102.246.53
154.23.241.178
163.123.192.54
165.227.120.193
169.150.227.217
213.232.113.183

The typical attacks we’ve observed follow these steps:

• An initial POST request is made to the plugin’s user registration page, typically “/register.”
• The attacker then attempts to log in using the newly created account through the “/wp-login.php” page.
• Finally, a malicious plugin is uploaded through the site’s administration panel.

Common usernames for malicious accounts created during the recent attack wave include:

apadmins
wpadmins
wpenginer
segs_brutal

Other indicators of compromise include the presence of malicious plugins, themes, and code additions:

• Malicious plugins like “yyobang” and backdoors such as “autoload_one.php” were added to legitimate plugins.
• Malicious themes, for instance, “fing.”
• Modifications made to the active theme’s functions.php, which included attempts to create a persistent user named “wpadminns.”

Conclusion

Team of Ultimate Member wrote:

“Firstly, we want to say sorry for these vulnerabilities in our plugin’s code and to any website that has been impacted and the worry this may have caused by learning of the vulnerabilities. As soon as we were made aware that security vulnerabilities had been discovered in the plugin, we immediately began updating the code to patch the vulnerabilities.”

“We have released several updates since the disclosure as we worked through the vulnerabilities, and we want to say a big thank you to the team at WPScan for providing assistance and guidance with this after they got in touch to disclose the vulnerabilities.”

We strongly advise updating your Ultimate Member plugin to version 2.6.7, which addresses this security issue. To ensure your website’s protection against such vulnerabilities, we highly recommend implementing a comprehensive security plan that includes regular scanning for malicious files and maintaining backups.