In a shocking revelation, renowned security company Wordfence has recently uncovered a critical zero-day vulnerability in the widely used “user login system” plug-in, Ultimate Member, on the WordPress blogging platform. This vulnerability allows hackers to exploit their accounts and gain elevated administrative rights, effectively granting them full control over targeted websites.
200,000 websites have used the plugin until now
The security flaw, identified as CVE-2023-3460, has been assigned a risk score of 9.8, indicating its severity. Through this vulnerability, cybercriminals can circumvent the plug-in’s built-in security measures, enabling them to manipulate the wp_capabilities configuration data of user accounts. By setting up their own accounts as administrators, hackers can assume complete control of compromised websites.
The plug-in’s developer has responded swiftly to address the issue. On June 26, they released Ultimate Member version 2.6.3, which provided partial mitigation against the vulnerability. Subsequently, on July 1, version 2.6.7 was released, offering a complete fix for the security flaw.
Disturbingly, it has come to light that over 200,000 WordPress websites have incorporated the Ultimate Member plug-in. Given the high number of installations and the potential delay in updating the plug-in due to inadequate information dissemination, these websites remain exceptionally vulnerable to exploitation by malicious actors.
Web administrators and website owners are strongly advised to take immediate action by updating their Ultimate Member plug-in to the latest version, 2.6.7, to safeguard their websites against potential attacks. Additionally, it is crucial to remain vigilant and monitor any suspicious activity or unauthorized access attempts.
Experts emphasize the significance of promptly addressing software vulnerabilities and staying up-to-date with the latest security patches. Regularly updating plug-ins and software is an essential practice that ensures website integrity and safeguards against emerging cyber threats.
(Via)