Ultimate Member Plugin Unpatched Privilege Escalation Vulnerability is Exploited

WPScan has detected an ongoing hacking campaign that exploits an unpatched vulnerability in the Ultimate Member plugin for WordPress. The vulnerability allows unauthorized attackers to create new user accounts with administrative privileges, leading to a complete takeover of the affected site.

CVE-2023-3460  - assigned a CVSSv3.1 score of 9.8.

Automattic's WP.cloud and Pressable.com hosting platforms noticed a concerning pattern in compromised sites, where unauthorized administrators were appearing. Further investigation revealed a discussion on the WordPress.org support forums regarding a potential Privilege Escalation vulnerability in the Ultimate Member plugin, with indications that it was already being actively exploited.

Ultimate Member, which is installed on over 200,000 WordPress sites, released a patch for the plugin in version 2.6.4. However, WPScan's discovered that the patch was insufficient. Despite the prompt release of the new version, investigations revealed multiple ways to bypass the proposed patch, indicating that the vulnerability remains fully exploitable.

WPScan has identified more than a dozen IP addresses associated with the exploits, along with common usernames used for malicious accounts and other indicators of compromise, including malicious plugins, themes, and code. If you suspect that your site has been compromised, it is advised to refer to the security advisory provided.

While version 2.6.6 is the latest release of the Ultimate Member plugin, it is still believed to be vulnerable.

Currently the only certain defense is to disable the plugin until a comprehensive patch has been implemented.