Hackers are exploiting a zero-day privilege escalation vulnerability in the “Ultimate Member” WordPress plugin to compromise websites by bypassing security measures and registering malicious administrator accounts.

Ultimate Member is a user profile and membership plugin that makes it easy to sign up and build communities on WordPress sites, and it currently has over 200,000 active installs.

The exploited flaw, identified as CVE-2023-3460, and having a CVSS v3.1 score of 9.8 (“critical”), affects all versions of the Ultimate Member plugin, including its latest version, v2.6.6.

While the developers initially attempted to fix the flaw in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, there are still ways to exploit the flaw. The developers said they are continuing to work on resolving the remaining issue and hope to release a new update soon.

“We have been working on patches related to this vulnerability since version 2.6.3 when we received a report from one of our customers,” job one of the Ultimate Member developers.

“Versions 2.6.4, 2.6.5, 2.6.6 partially fix this vulnerability but we are still working with the WPScan team to get the best result. We also receive their report with all the necessary details.”

“All previous versions are vulnerable, so we strongly recommend that you upgrade your websites to version 2.6.6 and keep updating in the future to get the recent security and feature enhancements.”

Attacks exploiting CVE-2023-3460

The attacks exploiting this zero-day were discovered by website security specialists at Closing wordswhich warn that hackers are exploiting it by using the plugin’s registration forms to set arbitrary user meta values ​​on their accounts.

Specifically, the attackers set the “wp_capabilities” user meta value to define their user role as administrators, granting them full access to the vulnerable site.

The plugin has a blocklist for keys that users shouldn’t be able to upgrade; however, circumventing this protective measure is trivial, says Wordfence.

WordPress sites hacked using CVE-2023-3460 in these attacks will show the following indicators:

• Appearance of new administrator accounts on the site
• Using usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal
• Log records indicating that known malicious IP addresses accessed the Ultimate Member registration page
• Log records showing access from 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146, and 172.70.147.176
• Appearance of a user account with an email address associated with “exelica.com”
• Installation of new plugins and WordPress themes on the site

Since the critical flaw remains unpatched and is so easy to exploit, WordFence recommends uninstalling the Ultimate Member plugin immediately.

Wordfence explains that even the firewall rule it specifically developed to protect its customers against this threat does not cover all potential exploitation scenarios, so removing the plugin until its vendor fixes the problem is the only prudent action.

If a site is found to have been compromised, based on the IoCs shared above, removing the plugin will not be enough to remedy the risk.

In these cases, website owners should run full malware scans to root out all vestiges of the compromise, such as rogue administrator accounts and backdoors they created.