Posted on July 2, 2023 at 5:47 PM

Hackers Exploits Zero-Day Vulnerability In Ultimate Member WordPress Plugin With 200K Installs

Hackers have exploited a zero-day vulnerability within the “Ultimate Member” WordPress plugin. The zero-day privilege escalation vulnerability was exploited to conduct hacking exploits against websites while bypassing the security guidelines put in place. The flaw can also be exploited to register malicious rogue administrator accounts.

Hackers exploit the zero-day flaw on Ultimate Member WordPress plugin

Ultimate Member operates as a user profile and membership plugin. This plugin facilitates a wide range of functions, such as signups and creating communities on WordPress sites. The plugin is one of the most-used tools, as it has more than 200,000 active installations.

The flaw exploited by the hackers is tracked as CVE-2023-3460. The flaw has a CVSSv3.1 score of 9.8, which is deemed to be critical. Moreover, it affects all the versions of the Ultimate Member plugin, which includes the latest version, v2.6.6.

The developers had initially attempted to issue a patch to address this security flaw. The patch was available for versions 2.6.2, 2.6.4, 2.6.5, and 2.6.6. However, the patch did not fully address the issue in question, as there are still ways that hackers can use to exploit the vulnerability and cause significant harm to the targeted devices.

According to the developers, they would continue to work on the process of resolving the pending issue with the flaw. They are also anticipating that a patch that will fully solve the problem and prevent more exploits from happening will be offered soon.

One of the developers at Ultimate Member said that the company was working on issuing a fix related to the security flaw since version 2.6.3. The developer said that such issues would be addressed once there was a report from a customer on the issue.

“Versions 2.6.4, 2.6.5, 2.6.6 partially close this vulnerability, but we are still working together with WPScan team for betting the best result. We also get their report will all necessary details,” one of the developers at Ultimate Member said.

The developer noted that all the previous versions were still vulnerable to exploits. As such, the platform recommended that the users conduct upgrades to their websites to realize version 2.6.6. It was also recommended that users maintain their updates in the future by getting access to the recent security and feature enhancements.

Attackers exploit the CVE-2023-3460 flaw

Threat actors have been conducting a myriad of attacks exploiting this security flaw. The exploits were detected by Wordfence cybersecurity researchers. These researchers warned that hackers were exploiting this security flaw through the registration forms of the plugin. The exploits were being done to set up arbitrary meta values on user accounts.

The threat actor behind these campaigns has also used the “wp_capabilities” user meta value to define their role as administrators on the platform. As such, they usually have complete access to the site that is vulnerable to attacks.

The plugin also comes with a blocklist containing keys that cannot be upgraded. However, Wordfence researchers noted that bypassing the protection measure did not have much of an impact. 

Several WordPress sites were compromised by this security vulnerability. There are multiple changes that happen once the hackers have exploited the flaw on the targeted device. The user will notice new administrator accounts on the targeted website. Usernames such as se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer will also be seen.

The flaw can also be detected by log records showing that IPs that are malicious were used to access the Ultimate Member registration page. User accounts using email addresses linked to exelica.com will also appear. Lastly, the flaw exploitation can be detected through the installation of new WordPress plugins and themes on the targeted site.

The critical vulnerability is yet to receive a patch, making it easy to exploit. As such, WordFence has recommended that the Ultimate Member plugin be uninstalled to protect users and ensure hackers are kept at bay.

Wordfence has also said that the firewall rule that it developed to safeguard clients cannot fully protect against the possible exploitation of the flaw. As such, the only option that users have is to uninstall the plugin until the vendor has developed and issued a flaw that will prevent more exploits from happening.

Once a site is found to have been compromised through these attacks, the act of removing the plugin is not adequate to solve the issue. In such cases, website owners need to run malware scans that will eliminate the remnants of compromise, including rogue admin accounts and backdoors.