Bug in WordPress plugin responsible for hijack attack

WordPress webmasters who use the Ultimate Members are urged to update it to the latest version to block attacks that attempt to exploit multiple critical and easily exploitable vulnerabilities that could lead to hacking of these sites.

Ultimate Member is a plugin for the WordPress platform with more than 100.000 active installations and is designed to facilitate the work of the profile and the management of members.

This plugin provides support for creating websites that allow easy and the creation of online communities, with tailored privileges for various user roles.

In a report published today from Wordfence's Threat Intelligence team, threat analyst Chloe Chamberland said the three security vulnerabilities revealed by Wordfence could allow intruders to become administrators and take full control of any WordPress site using a vulnerable Ultimate Member installation.

Following the revelation of the vulnerabilities, the plugin development team repaired it with the release of Ultimate Member 2.1.12 on October 29th.

One of them is considered by Wordfence to be "very critical", as it "allows initially unauthorized users to easily scale their privileges to those of an administrator".

“Once an attacker has admin access to a WordPress site, they have effectively taken over the entire site and can perform any , from the του ιστότοπου εκτός σύνδεσης έως την περαιτέρω μόλυνση του ιστότοπου με κακόβουλο λογισμικό», εξήγησε ο Chamberland.

Two of the bugs received a maximum CVSS 10/10 severity rating, as an irrelevant unregistered malicious user could enter the WPO

The third was rated 9,8 / 10, as it requires access to wp-admin and the site's profile.php page, but is still considered critical as it allows any authenticated attacker to gain administrator privileges with very little effort.

Although Ultimate Member 2.1.12, the version that fixes the three vulnerabilities, was released on October 26, the new version has been installed approximately 75.000 times. This means that at least 25.000 WordPress sites with active Ultimate Member installations remain potentially exposed to attacks.

Ultimate Member users are kindly requested to update the add-on on 2.1.12 as soon as possible.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).