Hackers actively exploit a zero-day vulnerability in the WordPress plugin Ultimate Member to increase privileges: with the help of this bug, attackers hack sites, bypassing protection, and create new administrator accounts. The Ultimate Member plugin is designed to facilitate registration and community creation on WordPress sites, and currently has more than 200,000 active installations.
Ultimate Member WordPress Plugin 0-day Vulnerability
That is not the first case when a WordPress plugin appears to contain a 0-day exploit. In particular, hackers used GoTrim malware to hack into WP-based sites. The scale of hackers’ interest in hacking such websites is confirmed by the number of sites they scanned looking for vulnerabilities.
The used-in-the-wild vunerability received the identifier CVE-2023-3460 and a score of 9.8 on the CVSS scale. The max score is 10, so you can undestand how critical it is. The problem affects all Ultimate Member versions, including the latest version 2.6.6. The developers initially tried to fix the vulnerability in versions 2.6.3, 2.6.4, 2.6.5 and 2.6.6. Though, it appears that the vulnerability resides deeper. The authors of the plugin declare that they continue to work on solving the remaining problems and hope to release a new patch in the nearest future.
How does that work?
Attacks on a vulnerability in Ultimate Member were detected by Wordfence specialists, who warn that criminals use a bug in the plugin’s registration form to set arbitrary meta-values for their accounts.
In particular, hackers set the wp_capabilities meta-value to assign themselves the role of administrator. Obviously, that gives them full access to the vulnerable resource. The plugin has a black list of keys that users can’t update, which may ease the problem. Nonetheless, researchers say that it’s quite easy to bypass this protective measure.
Sites hacked using CVE-2023-3460 will have the following indicators of compromise:
- the appearance of new administrative records on the site;
- use of wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal;
- logs showing that IP-addresses known to be malicious have accessed the Ultimate Member registration page;
- logs that fixed access with 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146 and 172.70.147.176;
- the appearance of a record with an email address associated with exelica.com;
- installation of new plugins and those on the site.
The critical vulnerability remains unfixed and extremely easy to use. WordFence recommends all administrators to immediately remove the Ultimate Member plugin. Experts explain that even the specific firewall setups do not cover all possible scenarios of exploitation. So for now, removing the plugin remains the only possible solution.