Vulnerabilities in WordPress plugin put 100,000 sites at risk

Vulnerabilities in WordPress plugin
Written by Emma Davis

Defiant specialists, which developed the Wordfence, warned that vulnerabilities in the Ultimate Member WordPress Plugin put 100,000 sites at risk.

Plugin users need to update to the latest version as soon as possible. The fact is that recently in the plugin have been fixed a number of critical bugs leading to privilege escalation and site hijacking.

Ultimate Member is a popular plugin installed on over 100,000 sites. It allows administrators to extend and optimize the functionality of user profiles.

According to the researchers, the plugin contained three vulnerabilities that could be used for privilege escalation, allowing attackers to elevate privileges to administrator level and then take control of the resource. Bugs were found in versions 2.1.11 and below.said Defiant the experts.

All bugs were fixed with the release of the Ultimate Member 2.1.12 on October 29, 2020.

Two vulnerabilities scored 10 out of 10 on the CVSS vulnerability rating scale. So, the first problem was discovered in the user registration form. Due to the lack of validation of user input, attackers could send arbitrary custom meta keys during registration. These keys updated the information in the database, including the parameters used to define the user’s role and privileges.

The attacker simply needed to add wp_capabilities [administrator] to the registration request, and the attacker would update the wp_capabilities field with the administrator role. write the experts.

A second 10-point vulnerability was found in the same function. The lack of proper filtering allowed the attacker to assign himself the desired role parameter. Although standard WordPress roles were not available, custom roles from the Ultimate Member plugin could be used instead.

The third bug is estimated at 9.8 points out of 10, as it requires wp-admin access to the site’s profile.php page. However, the error is also considered extremely dangerous, since it allows any authenticated attacker to easily elevate their privileges to administrator.

According to experts, more than 80% of users have already installed the updated version of the plugin. However, this means that around 25,000 Ultimate Member sites are still vulnerable to potential attacks.

Recall also that we wrote that the WordPress plugin Popup Builder endangered 100,000 sites, and, for example, Vulnerabilities in WordPress Database Reset plugin allow hijacking a site or erasing all data.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply