Ultimate Member WordPress Plugin Vulnerability Allows Full Site Takeover

Ultimate Member WordPress plugin vulnerability, with over 200,000 active installations is being actively exploited on unpatched WordPress sites. The vulnerability is said to require trivial effort to bypass security filters.

Ultimate Member Plugin Vulnerability

The Ultimate Member WordPress plugin enables publishers to create online communities on their websites.

The plugin works by creating a frictionless process for user sign-ups and creation of user profiles. It’s a popular plugin especially for membership sites.

The free version of the plugin has a generous feature set including:

Front-end user profiles, registration, login and publishers can also create member directories.

The plugin also contained a critical flaw that allowed a site visitor to create member profiles with essentially administrator-level privileges.

WPScan security database describes the seriousness of the vulnerability:

“The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will.

This is actively being exploited in the wild.”

Failed Security Update

The vulnerability was discovered in late June 2023 and the publishers of Ultimate Member responded quickly with a patch to close the vulnerability.

That patch for the vulnerability was issued in version 2.6.5, published on June 28th.

The official changelog for the plugin stated:

“Fixed: A privilege escalation vulnerability used through UM Forms.

Known in the wild that vulnerability allowed strangers to create administrator-level WordPress users.

Please update immediately and check all administrator-level users on your website.”

However that fix did not fully patch the vulnerability and hackers continued to exploit it on websites.

The security researchers at Wordfence analyzed the plugin and determined on June 29th that the patch did not in fact work, describing their findings in a blog post:

“Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.”

The problem was so bad that Wordfence described the effort necessary to hack the plugin as trivial.

Wordfence explained:

“While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.

This makes it possible for attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to ‘administrator’.

This grants the attacker complete access to the vulnerable site when successfully exploited.”

The user level of Administrator is the highest access level of a WordPress site.

What makes this exploit of particular concern is that this of a class called an “Unauthenticated Privilege Escalation, ” which means that a hacker doesn’t need any website access level whatsoever in order to hack the plugin.

Ultimate Member Apologizes

The team at Ultimate Member published a public apology to their users in which they provided a full accounting of everything that happened and how they responded.

It should be noted that most companies issue a patch and keep quiet. So it’s commendable and responsible that Ultimate Member are upfront with their customers about the security incidents.

Ultimate Member wrote:

“Firstly, we want to say sorry for these vulnerabilities in our plugin’s code and to any website that has been impacted and the worry this may have caused by learning of the vulnerabilities.

As soon as we were made aware that security vulnerabilities had been discovered in the plugin, we immediately began updating the code to patch the vulnerabilities.

We have released several updates since the disclosure as we worked through the vulnerabilities, and we want to say a big thank you to the team at WPScan for providing assistance and guidance with this after they got in touch to disclose the vulnerabilities.”

Users of Plugin Urged to Update Immediately

The security researchers at WPScan urges all users of the plugin to immediately update their sites to Version 2.6.7.

A special announcement from WPScan notes:

Hacking Campaign Actively Exploiting Ultimate Member Plugin

“A new version, 2.6.7, was released this weekend, and fixes the issue.

If you use Ultimate Member, update to this version as soon as possible.

This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites.”

This vulnerability is rated 9.8 on a scale of 1 to 10, with ten being the most serious level.

It is highly recommended that users of the plugin update immediately.

Featured image by Shutterstock/pedrorsfernandes