Multiple critical vulnerabilities affecting the Ultimate Member plugin could be easily exploited to potentially takeover up to 25K websites.

Multiple critical vulnerabilities in the Ultimate Member plugin could be easily exploited to take over websites, the issue potentially impact up to 100K installs.

The Ultimate Member WordPress plugin allows admins to easily manage membership to their websites assigning custom privileges for various user roles.

“On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site.” reads the analysis published by Wordfence.

Wordfence researchers discovered three security flaws that could have allowed attackers to escalate their privileges to admin and take over WordPress sites running vulnerable versions of the Ultimate Member plugin.

Wordfence reported the vulnerabilities to the development team behind the plugin on October 26 that addressed them with the release of Ultimate Member version 2.1.12 on October 29.

“This vulnerability is considered very critical as it makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator. Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware.”

Two of the critical vulnerabilities discovered by the experts have received a CVSS severity score of 10/10, they are both unauthenticated privilege escalation issues via user meta.

In the first case, an attacker simply needed to supply wp_capabilities[administrator] as part of a registration request, and that attacker would effectively update the wp_capabilities field with the administrator role. The request would grant administrator access upon registration.

In the second case, the admin role could be selected during registration due to the issue.

“Attackers could enumerate the current custom Ultimate Members roles and supply a higher privileged role while registering in the role parameter. Or, an attacker could supply a specific capability and then use that to switch to another user account with elevated privileges.” continues the issue. “In either case, if wp-admin access was enabled for that user or role, then this vulnerability could be used in conjunction with the final vulnerability detailed below.”

The third issue received a CVSS severity score of 9.8/10, its exploitation requires wp-admin access to the profile.php page, whether explicitly allowed or via another vulnerability used to gain that access. 

Since the release of the Ultimate Member 2.1.12, the plugin was downloaded roughly 75,000 times, this means that at least 25,000 WordPress websites with active Ultimate Member installs are potentially exposed to hack.