Three critical privilege escalation vulnerabilities have been discovered in the Ultimate Member plugin that exposed over 100,000 websites to hacking risk. These loopholes made it possible for attackers to breach and escalate their privileges to those of an administrator and leading to a forced take over a WordPress site.
Ultimate Member is a widely used WordPress plugin that enhances user registration and account control on WordPress websites. This plugin also enables site owners to create custom roles and manage the privileges of site members. The plugin thus automatically creates three forms: user registration, user login, and user profile management as part of its functionality.
How the vulnerabilities in Ultimate member plugin risked your website
This flaw which was detected by the WordFence team revealed that the Plugin user registration form lacked some checks on submitted user data. This oversight, therefore, gave attackers a backdoor access to supply arbitrary user meta keys during the registration process that would update those meta keys in the database. This meant that an attacker could supply an array parameter for sensitive meta data such as the
wp_capabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the
update_profile function, and any respective metadata that was submitted, regardless of what was submitted, would be updated for that newly registered user.
Two of these critical vulnerabilities were given the maximum CVSS severity score of 10/10, since they are both unauthenticated privilege escalation issues via user meta and user roles.
The third however received a CVSS severity score of 9.8/10, this exploitation requires wp-admin access to the profile.php page, whether explicitly allowed any attackers to gain access to admin with minimal effort.
The Ultimate member plugin developer has soonest released a patched version of Ultimate Member, 2.1.12, on October 29, 2020 which fully fixed all vulnerabilities.
As with any other plugin vulnerabilities that have been patched, we recommend that users immediately update their websites to the latest version available, which is version 2.1.12 at the time of this publication.
It is also important that if you know a friend or colleague who is using this plugin on their site, kindly share this blog with them to help keep their sites protected as these are high severity vulnerabilities that are trivial to exploit.
Read more about this Ultimate member plugin vulnerability on the WordFence Blog
Read more of our WPChase security blogs here
Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.