Thousands Of WordPress Sites Exposed
More than 200,000 WordPress sites have less security which exposes them to attacks that target the Ultimate Member Plugin. This is a service designed to make it easier to allow users to add profiles, define roles, and create member directories. But this allows hackers to add new administrative accounts to the user group.
Tracked as CVE-2023-3460 (CVSS score of 9.8), the recently identified security defect in Ultimate Member lets attackers add a new user account to the administrators group. The defect is a Cross Site Request Forgery (CSRF).
A CSRF flaw means that site does not distinguish between intentional actions taken by the user and forged requests generated by a malicious link or script request. This CSRF flaw allowed attackers to forge a request on behalf of an administrator and inject code on a vulnerable site allowing potential attackers to remotely execute arbitrary code on websites running vulnerable Code Snippets installation.
A high severity CSRF bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu.
Some of the plugin’s users have observed the creation of rogue accounts and reported them recently, but the attacks appear to have been ongoing at least since the beginning of June this year. WPScan, WordPress’s security firm, says that the bug is rooted in a conflict between the plugin’s blocklist logic and WordPress metadata keys.
Hackers can exploit operational differences between the plugin and WordPress to trick Ultimate Member into updating the metadata keys.
These keys include data that contain user role and capability information. WordPress advised site owners to disable the problematic plugin and closely monitor administrative accounts on their websites. While the WordPress plugin library doesn't provide daily downloads stats, roughly 58K users have downloaded and installed the latest version which means that at least 140K WordPress websites running this plugin are still exposed to potential takeover attacks.
Site owners who think they are at risk are advised to disable Ultimate Member to prevent exploitation of the vulnerability. They should also audit all administrator roles on their sites, to identify rogue accounts.
WPScan: Cyware: Threatpost: Oodaloop: Hacker News: Security Week: Bleeping Computer: Techradar:
You Might Also Read:
WordPress Comprises 90% Of Hacked Sites:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible