Over 200,000 WordPress sites are currently exposed to the risk of being taken over by attackers due to an actively exploited zero-day vulnerability. A security update addressing this critical flaw in the Ultimate Member plugin is unavailable. As a result, administrators are strongly advised by security company Wordfence to disable the plugin immediately.
About the Ultimate Member Plugin
Ultimate Member is a “profile & membership” plugin used for managing users and subscriptions on WordPress sites, particularly for online communities. It allows site owners to restrict access to certain content for paying users. According to WordPress data, the plugin is active on over 200,000 websites.
Critical Vulnerability and Its Impact
The plugin’s critical vulnerability (CVE-2023-3460) allows an unauthenticated attacker to register as an administrator, gaining complete control over the website. The issue arises in the registration form of the plugin, where it is possible to modify specific values for the registered account. One of these values is “wp_capabilities,” which determines the user’s role on the website.
Exploitation and Lack of Update
Although the plugin does not allow users to specify this value, the filtering mechanism can be easily bypassed, enabling the modification of wp_capabilities and granting administrator privileges. As mentioned earlier, an update for this vulnerability is not yet available. Users are therefore urged to remove the plugin until a patch becomes accessible. The severity of this zero-day vulnerability has been rated as 9.8 on a scale of 1 to 10.