More than 200,000 WordPress websites, which use using Ultimate Member plugin, are facing a significant hacking risk due to a security vulnerability, according to WPScan, a WordPress security firm.
WPScan has identified the flaw in the popular Ultimate Member plugin, which is used to create user profiles and online communities on WordPress sites.
The gravity of the situation lies in the fact that unauthorized attackers can leverage this vulnerability to generate new user accounts with administrative privileges. This level of access grants them complete control over the compromised websites, posing a severe threat to site owners and their data.
WPScan has issued a warning about the severity of the issue, emphasizing that there is currently no comprehensive fix available.
Moreover, there are indications that malicious actors are actively taking advantage of this vulnerability. In response to the security report, the developers behind the Ultimate Member plugin have swiftly released version 2.6.4 in an attempt to address the problem. Despite the launch of the new version, WPScan team has discovered several methods to bypass the proposed patch, indicating that the vulnerability remains fully exploitable.
The plugin’s functionality relies on a predefined list of user metadata keys, which users should not manipulate. By cross-referencing this list, the plugin verifies whether users are attempting to register these keys when creating an account.
Regrettably, discrepancies between how the Ultimate Member plugin handles the blocklist logic and how WordPress manages metadata keys have enabled attackers to deceive the plugin into updating metadata keys it shouldn’t.
To safeguard their websites, security researchers advise users to disable the Ultimate Member plugin until a comprehensive patch is released to remediate this security flaw.
On a positive note, websites hosted on WP.cloud platforms, including WordPress.com and Pressable.com, have received a platform-level patch to help mitigate the vulnerability.