Due to a serious unpatched security flaw that adversaries were actively exploiting, more than 2 lakh WordPress websites are at risk of hacking.
WPScan (WordPress Security Firm)
|The Ultimate Member WordPress plugin, a free user profile plugin that makes it simple to build effective online groups & membership sites with WordPress, contains the problem.
“The ability for adversaries to use this security flaw to build new user A/cs with admins’ capabilities and gain total control of the vulnerable sites is a very significant problem.”
Worryingly, “there were indications that adversaries were actively exploiting this issue” and “no complete fix to this issue.”
“The vulnerability is still completely exploitable, however, as we discovered multiple ways to get around the suggested patch while looking into this update.”
“Unfortunately, because of how WordPress handles metadata keys & how the Ultimate Member’s blocklist logic operates, adversaries misled the plugin into upgrading some things it shouldn’t have.”
The plugin’s developers immediately produced a new version, 2.6.4, to resolve the issue in response to the vulnerability report.
Users should not alter the user metadata keys used by the plugin.
This list determines whether people are trying to register these keys when they create accounts.
Users are advised to disable the Ultimate Member plugin until a patch that fully resolves this security risk is available.
A platform-level patch has been applied to websites hosted by WP.cloud, including WordPress.com and Pressable.com, to address the vulnerability.
Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food & Beverage, Entertainment, and many others. Koli established his center of the field in a very amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.
Kindly read other news articles: