The Defiant experts behind the development of Wordfence,
warned that Ultimate Member plugin users need to update to the latest version as soon as possible. The fact is that a number of critical bugs have recently been eliminated in the plugin, leading to privilege escalation and site hijacking.
Ultimate Member is a popular plugin with over 100,000 sites installed. It allows administrators to extend and optimize the functionality of user profiles.
According to researchers, the plugin contained three vulnerabilities that could be exploited for privilege escalation, which allowed attackers to elevate rights to the administrator level and then seize control of the resource. Bugs were found in versions 2.1.11 and below. All bugs have been fixed with the release of Ultimate Member 2.1.12 on October 29, 2020.
Two vulnerabilities scored 10 out of 10 on the CVSS vulnerability rating scale. So, the first problem was found in the user registration form. Due to the lack of validation of user input, attackers could submit arbitrary user meta keys during registration. These keys updated the information in the database, including the parameters used to define the user's role and privileges.
“The attacker would simply have to add wp_capabilities[administrator] to the login request and the attacker would update the wp_capabilities field with the administrator role “, – experts write.
The second ten-point vulnerability was found in the same function. The lack of proper filtering allowed the attacker to assign the desired role parameter to himself. While the default WordPress roles were not available, custom roles from the Ultimate Member plugin could be used instead.
The third bug is rated 9.8 out of 10 because it requires wp-admin access to the site's profile.php page. However, the error is also considered extremely dangerous, as it allows any authenticated attacker to easily elevate their privileges to administrator.
According to experts, more than 80% of users have already installed the updated version of the plugin. However, this means that about 25,000 sites with Ultimate Member installed are still vulnerable to potential attacks.