Today, on June 29, 2023, the Wordfence Threat Intelligence Team became aware of an unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites, through our vulnerability changelog monitoring we do to ensure the Wordfence Intelligence Vulnerability Database has the most up to date and accurate information. Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.
Once we determined the root cause, we released a firewall rule to help protect our Wordfence Premium, Wordfence Care, and Wordfence Response customers. Wordfence free users will receive the same protection in 30 days on July 29th, 2023. As the latest version of the plugin, 2.6.6, is not fully patched, we recommend uninstalling the plugin until a complete patch has been released.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: <= 2.6.6
CVE ID: CVE-2023-3460
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Unknown, Marc-Alexandre Montpas
Fully Patched Version: NONE
The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6. This is due to the plugin using a predefined list of user meta keys that are banned which can be bypassed via a few method like adding slashes to the user meta key. This makes it possible for unauthenticated attackers to register on a site as an administrator.
Ultimate Member is a plugin designed to add easy registration and account management to WordPress sites. One of the features is a registration form that users can use to sign up for an account on a WordPress site running the plugin. Unfortunately, this form makes it possible for users to register and set arbitrary user meta values for their account.
While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.
This makes it possible for attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to ‘administrator’. This grants the attacker complete access to the vulnerable site when successfully exploited.
Indicators of Compromise
While our attack data is limited at this point, we do have the following indicators of compromise from a separate pre-existing firewall rule that provided partial coverage for this vulnerability. We recommend running a complete Wordfence malware scan to ensure your site is not compromised if you are running Ultimate Member, and keeping an eye out for the following indicators of compromise.
The most important thing to check for is new user accounts created with administrator privileges.
We are seeing the following usernames in our attack data:
Access log entries showing attackers hitting a compromised site’s Ultimate Member registration page, which is set on the /register path by default.
Look for the following IP Addresses in a site’s access logs, or in the Wordfence plugin’s live traffic feed.
The following domain has been associated with user account email addresses.
Check for plugins and themes that may not have been installed previously.
If your site has been compromised by this exploit, we offer professional site cleaning services through Wordfence Care, with Wordfence Response providing an expedited turnaround time. Alternatively, if you’re comfortable with doing so we provide instructions on how to clean your site using the free Wordfence plugin.
In today’s PSA, we covered a Critical-severity Privilege Escalation vulnerability in Ultimate Member that is being actively exploited. The vulnerability remains unpatched and can quickly allow unauthenticated users to automatically take over any site with the plugin installed. This means that all 200,000 installations are currently at risk. We recommend verifying that this plugin is not installed on your site until a patch is made available, and forwarding this advisory to anyone you know who manages a WordPress website.
While the firewall rule we released today should protect Wordfence Premium, Wordfence Care, and Wordfence Response users from site takeover, the Ultimate Member plugin contains additional functionality that is impractical to block which could potentially be abused by a sophisticated attacker in combination with vulnerabilities in other software. As such we recommend uninstalling the plugin even if you are protected by our firewall rule, as it minimizes but does not fully eliminate the risk presented by this vulnerability.
Special thank you to Ramuel Gall, Wordfence Senior Security Researcher, and István Márton, Wordfence Vulnerability Researcher, for their assistance reverse engineering this vulnerability and for contributing to this post!