WPScan is reporting a hacking campaign actively exploiting an unpatched vulnerability in the Ultimate Member plugin, which allows unauthenticated attackers to create new user accounts with administrative privileges and take over the site. The vulnerability has been assigned a CVSSv3.1 (Common Vulnerability Scoring System) score of 9.8 (Critical).
Automattic’s WP.cloud and Pressable.com hosting platforms picked up on a trend in compromised sites where each had rogue new administrators popping up. After further investigation they found a discussion on the WordPress.org support forums about a potential Privilege Escalation vulnerability in the plugin, as well as indications that it was already being actively exploited.
Ultimate Member, which is active on more than 200,000 WordPress sites, patched the plugin, but WPScan reports that it wasn’t sufficient.
“In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem,” WPScan security researcher Marc Montpas said. “However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable.
“Adding to the urgency of the situation, a look at our monitoring systems also confirmed attacks using this vulnerability were indeed happening in the wild.”
WPScan has identified more than a dozen IP addresses from which exploits are originating, common usernames for malicious accounts, and other indicators of compromise, such as malicious plugins, themes, and code. Check the security advisory if you believe you have been compromised.
Version 2.6.6 is the latest release from the Ultimate Member plugin but it is still believed to be vulnerable. WPScan recommends users disable the plugin until it has been adequately patched.
It appears that WPScan might be providing at least somewhat misleading information here. The change made in version 2.6.4 stops how this was reported to us as being exploited. Based on the change made in 2.6.5, it seems possible that WPScan is referring to the security being poorly implemented, which it is, as opposed to there being a bypass for the exploit that is happening.
Something else important to note is that WPScan disclosed that Automattic’s web application firewall (WAF) had failed to protect against this. We just release results of testing we did of 32 WordPress security plugins, which found that 2 of them provided protection for this vulnerability even before it started being exploited: https://www.pluginvulnerabilities.com/2023/06/30/ninjafirewall-and-plugin-vulnerabilities-firewall-are-only-wordpress-security-plugins-that-protected-against-recent-zero-day/
The 2 plugins that provided protection were able to do that because they hook deeply in to WordPress, which WAFs can’t do. That runs contrary to the common misconception that firewall plugins can’t provide protection beyond what WAFs do.