Heading: Introduction
In recent news, WPScan, a popular WordPress security scanner, has reported a hacking campaign that is actively exploiting an unpatched vulnerability in the Ultimate Member plugin. This vulnerability allows unauthenticated attackers to create new user accounts with administrative privileges, potentially leading to a complete takeover of the affected website. The severity of this vulnerability has been assigned a CVSSv3.1 score of 9.8, indicating its critical nature.
Heading: Discovery of the Vulnerability
Automattic’s WP.cloud and Pressable.com hosting platforms noticed a concerning trend in compromised sites, where rogue new administrators were appearing. Upon further investigation, they discovered a discussion on the WordPress.org support forums regarding a potential Privilege Escalation vulnerability in the Ultimate Member plugin. Additionally, there were indications that this vulnerability was already being actively exploited.
Heading: Insufficient Patching Efforts
Ultimate Member, a widely used plugin active on over 200,000 WordPress sites, released a patch for the reported vulnerability in version 2.6.4. However, WPScan’s security researcher, Marc Montpas, found that this patch was not sufficient to address the issue entirely. After analyzing the update, WPScan identified multiple methods to bypass the proposed patch, suggesting that the vulnerability remains fully exploitable.
Heading: Confirmation of Active Exploitation
To further emphasize the urgency of the situation, WPScan’s monitoring systems detected actual attacks utilizing this vulnerability in the wild. They have identified more than a dozen IP addresses associated with these exploits, as well as common usernames used for malicious accounts. Additionally, indicators of compromise such as malicious plugins, themes, and code have been identified. If you suspect that your website has been compromised, it is recommended to refer to the security advisory provided by WPScan.
Heading: Current Status and Recommendations
As of now, version 2.6.6 is the latest release from the Ultimate Member plugin. However, it is still believed to be vulnerable to the reported exploit. In light of this, WPScan strongly advises users to disable the plugin until a proper and adequate patch has been released.
Heading: Conclusion
The hacking campaign targeting the unpatched vulnerability in the Ultimate Member plugin serves as a reminder of the importance of promptly addressing security vulnerabilities. Despite the plugin’s attempt to fix the issue with version 2.6.4, it was found to be insufficient by WPScan’s researchers. With active exploitation occurring in the wild, it is crucial for website owners to take immediate action to protect their sites. Disabling the plugin until an effective patch is available is a recommended precautionary measure.
In conclusion, staying vigilant and proactive in addressing security vulnerabilities is essential for maintaining the integrity and security of WordPress websites. Regularly updating plugins and themes, monitoring for security advisories, and promptly applying patches are crucial steps in safeguarding against potential exploits.
