Threat actors exploited a critical Wordpress zero-day in the Ultimate Member plugin to create a secret admin account. Ultimate Member is a popular plugin that facilitates the creation of user profiles and communities on Wordpress sites. It also provides account management features. Researchers at Wordpress security company WPScan noticed new malicious administrators continue to appear on websites targeted by threat actors. . As many as 200,000 Wordpress websites are at risk of exploitation of critical unpatched security vulnerabilities in the Ultimate Member plugin.
The attackers exploited the vulnerability to create a new user account with administrative privileges that could be used take full control of the site and also they actively exploited the Wordpress Plugin flaw tracked as CVE-2023-3460 (CVSS score: 9.8), to create a secret admin account. According to the researchers the root cause of the problem is the use of a predefined list of user metadata keys that should not be manipulated by the user. This security mechanism is considered insecure by the researchers.
Researchers assume that this is a common security anti-pattern, where blocking malicious inputs that may seem intuitive is more complicated than expected and often leaves room for security breaches. WPScan did not provide details about the attack but shared Indicators of Compromise or IoC for the attack. Website admins using the Ultimate Member plugin are advised to disable it until a definitive patch is released and users are advised to verify that the plugin is not installed and forward this alert to anyone managing a WordPress website.
0 Comments