Defiant specialists, which developed the Wordfence, warned that vulnerabilities in the Ultimate Member WordPress Plugin put 100,000 sites at risk.
Plugin users need to update to the latest version as soon as possible. The fact is that recently in the plugin have been fixed a number of critical bugs leading to privilege escalation and site hijacking.Ultimate Member is a popular plugin installed on over 100,000 sites. It allows administrators to extend and optimize the functionality of user profiles.
All bugs were fixed with the release of the Ultimate Member 2.1.12 on October 29, 2020.
Two vulnerabilities scored 10 out of 10 on the CVSS vulnerability rating scale. So, the first problem was discovered in the user registration form. Due to the lack of validation of user input, attackers could send arbitrary custom meta keys during registration. These keys updated the information in the database, including the parameters used to define the user’s role and privileges.
A second 10-point vulnerability was found in the same function. The lack of proper filtering allowed the attacker to assign himself the desired role parameter. Although standard WordPress roles were not available, custom roles from the Ultimate Member plugin could be used instead.
The third bug is estimated at 9.8 points out of 10, as it requires wp-admin access to the site’s profile.php page. However, the error is also considered extremely dangerous, since it allows any authenticated attacker to easily elevate their privileges to administrator.
According to experts, more than 80% of users have already installed the updated version of the plugin. However, this means that around 25,000 Ultimate Member sites are still vulnerable to potential attacks.
Recall also that we wrote that the WordPress plugin Popup Builder endangered 100,000 sites, and, for example, Vulnerabilities in WordPress Database Reset plugin allow hijacking a site or erasing all data.