WordPress, a reliable and fondly used website creator, is once again dealing with an exploit issue. WordPress is a domain creator capable of generating different websites, ranging from portfolios, business websites, blogs, news, and media – to name a few categories. To further enhance these options, WordPress also takes advantage of plugins, templates, and add-ons. These extra functions can greatly enhance a visitor’s experience while providing a massive range of functionality for the administrator.
However, every good in tech comes with a downside, too. Any extension or addon is its module run by a different team, requiring routine updates and checks. Addons or extensions have access to different permissions when updating a WordPress website. It’s those configurations – big or small – introducing levels of security risk.
This isn’t the first time WordPress has experienced issues with exploits, and it won’t be the last. Unfortunately, the latest break-in security can give exploiters administrator access.
About the exploit
The critical vulnerability comes from the Ultimate Member plugin. This plugin potentially affects 200,000 users across all relevant WordPress domains.
This addon allows for easy logins and credential access, making it particularly dangerous. Owners of the plugin can create custom form fields, define roles with their WordPress, access directories of members, and add member profiles. The problem is, if attackers gain access to the plugin, they can add members to the administrative directory, including all its associated privileges. In other words, gain control over the targeted WordPress domain.
The exploit is CVE-2023-3460. Reports of early attacks started in June, with unknown accounts added into the WordPress domain with administrator privileges. The exploit occurred due to a misconfiguration. Hackers “trick” the plugin into updating metadata keys, such as administrator roles. Thus, it allows them to register accounts with admin control. As it stands, while patches have been released since the discovery of the exploit, it is currently not fully patched and presents a serious risk to anyone using the Ultimate Member plugin.
What should users do?
Until the plugin is completely patched, it is recommended to completely disable the plugin. Leaving the plugin as-is puts your WordPress website at risk.
Furthermore, system administrators should check for unusual activity, such as the creation of unknown accounts. It’s important to do this asap, as newly created accounts from hackers could possess administrator privileges and take control of the website.