A serious vulnerability in the Ultimate Member WordPress plugin is currently being exploited, exposing over 200,000 active WordPress installations to significant security risks. The widely-used plugin, popular for creating online communities on websites, has a flaw that enables site visitors to create member profiles with administrator-level privileges, essentially granting them full control over a site.
The vulnerability was first identified in late June 2023. In response, the plugin developers promptly issued a patch (version 2.6.5) to address the issue. However, the initial effort to rectify the problem proved ineffective, as security researchers at Wordfence discovered that the vulnerability continued to be exploited despite the patch.
The vulnerability is categorized as an “Unauthenticated Privilege Escalation,” a term denoting that a hacker doesn’t need any specific website access level to exploit the plugin. This aspect significantly magnifies the severity of the issue. In terms of severity, the vulnerability has been rated a whopping 9.8 out of 10, underscoring the high level of risk associated with it.
In the face of the security issue, Ultimate Member extended a public apology to all users, acknowledging the vulnerabilities in their plugin code and the resultant concerns they may have caused. They provided a full account of the incident and the steps they had taken to address the problem. In their message, the team also expressed their gratitude to WPScan for their assistance and guidance during this challenging time.
Despite the difficult circumstances, Ultimate Member’s transparency during the ordeal was commendable, demonstrating their commitment to regaining user trust and addressing the issue proactively.
To address the security flaw, WPScan has issued a strong recommendation for all users of the Ultimate Member plugin to update their sites to the latest version 2.6.7 as soon as possible. This newly released version effectively patches the previously unaddressed security vulnerability. Given the high severity rating of the vulnerability, the necessity for immediate action by users cannot be overstated.
In conclusion, the Ultimate Member WordPress plugin vulnerability underscores the importance of regular plugin updates, user vigilance, and prompt action in response to such threats. In a rapidly evolving digital landscape, the response to this incident serves as a valuable lesson for developers and users alike.