Pierluigi Paganini July 02, 2023

Threat actors are exploiting a critical WordPress zero-day in the Ultimate Member plugin to create secret admin accounts.

Hackers are actively exploiting a critical unpatched WordPress Plugin flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), to create secret admin accounts.

Ultimate Member is a popular user profile and membership plugin for WordPress, it allows admins to create advanced online communities and membership sites. Ultimate Member allows creating almost any type of site where users can join and become members with absolute ease.

The plugin has more than 200,000 active installations at this time.

Researchers at the WordPress security firm WPScan noticed rogue new administrator accounts kept appearing on the websites targeted by the threat actors.

The attackers can exploit this vulnerability to create new user accounts with administrative privileges, which can be used to take full control of the sites.

The researchers explained that the root cause of the problem is the use of a pre-defined list of user metadata keys that users should not manipulate. The plugin relies on this list to check if users are attempting to register these keys when creating a new account.

This security mechanism is considered not secure by the researchers and can be bypassed

“This is a common security anti-pattern, where blocking known harmful inputs (blocklists) might seem intuitive, but is trickier than expected and often leaves room for security bypasses.” reads the post published by the researchers. “Instead of blocklists, it’s generally recommended to use allowlists, which approve specific inputs and reject anything that didn’t make it to the list. This typically provides a more robust security measure. Unfortunately, differences in how the Ultimate Member’s blocklist logic and how WordPress treats metadata keys made it possible for attackers to trick the plugin into updating some it shouldn’t, like “wp_capabilities”, which is used to store a user’s role and capabilities.”

WPScan did not provide details about the attacks but shared Indicators of Compromise (IoCs) for this attacks.

WordFence researchers also observed attacks exploiting this issue, they explained that the flaw hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.

“While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin,” reads the post published by Wordfence. “The vulnerability remains unpatched and can quickly allow unauthenticated users to automatically take over any site with the plugin installed. This means that all 200,000 installations are currently at risk. We recommend verifying that this plugin is not installed on your site until a patch is made available, and forwarding this advisory to anyone you know who manages a WordPress website.”

Admins of websites using the Ultimate Member plugin are recommended to disable it until a definitive patch will be released.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ultimate Member plugin)