WordPress Ultimate Member plugin is vulnerable to a privilege escalation vulnerability that is being exploited in the wild. CVE-2023-3460 has been rated as critical with a CVSS base score of 9.8. The proof of concept for the vulnerability will be released on August 1st, 2023.
Ultimate Member is a user profile and membership plugin for WordPress. The plugin offers user profiles, member directories, user registration/login, user role editing, and content restriction. The plugin combines front-end elements with powerful admin functionality that makes creating a user-based website easy with WordPress. According to WordPress, the Ultimate Member plugin has more than 200000 active installations.
Vulnerability Description
The Ultimate Member WordPress plugin makes it easy to register and manage accounts. One of the features is a registration form used to sign up for an account on WordPress running the plugin. Unfortunately, this form will allow users to create new accounts and set up arbitrary user metadata.
There are simple ways to bypass filters that have been put in place, such as using different cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin, even if the plugin has a predefined list of banned keys that a user should not be able to edit.
This allows attackers to change the user’s role on the website’s wp_capabilities user meta value to “administrator.” On successful exploitation, this could allow an attacker to get complete access to the vulnerable site.
Indicators of Compromise
IP addresses used in attacking the site:
- 73.85.149.184
- 103.30.11.160
- 103.30.41.32
- 103.187.5.128
- 123.148.137.93
- 149.102.246.53
- 154.23.241.178
- 163.123.192.5
- 165.227.120.193
- 169.150.227.217
- 213.232.113.183
The usernames used in the attacks:
- wpenginer
- wpadmins
- wpengine_backup
- se_brutal
- segs_brutal
Steps involved in the attacks:
- An initial POST request is made to the plugin’s user registration page, typically “/register.”
- The attacker then attempts to log in with the newly created account using the “/wp-login.php” page.
- Finally, a malicious plugin is uploaded through the site’s administration panel.
Malicious plugins, themes, and code conditions used in the attacks:
- Malicious plugins such as “yyobang” and backdoors such as “autoload_one.php” added to legitimate plugins.
- Malicious themes such as “fing.”
- Modifications to the active theme’s functions.php, including attempts to create a persistent user, “wpadminns.”
Affected Versions
The vulnerability affects the Ultimate Member plugin versions up to and including 2.6.6.
Mitigation
To mitigate this vulnerability, customers must upgrade to Ultimate Member 2.6.7.
For more information about the mitigation, please refer to WordPress Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 730836 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://wordpress.org/plugins/ultimate-member/
https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions
https://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/