Critical security vulnerability outs over 2 Lakh WordPress websites at risk

Date:

Share post:

spot_imgspot_img

Shillong, July 2: A critical unpatched security vulnerability in the Ultimate Member plugin has put more than 2 lakh WordPress websites at risk of hacking. The plugin, designed to create user profiles and online communities, has a bug that allows unauthenticated attackers to create new user accounts with administrative privileges. This enables them to gain complete control over affected sites.

WordPress security firm WPScan highlighted the severity of the issue and warned that the vulnerability was actively exploited by malicious actors. The plugin’s creators released a new version, 2.6.4, in an attempt to address the problem. However, upon investigation, the WPScan team discovered that the proposed patch could be bypassed, rendering the issue still fully exploitable.

The vulnerability stems from the plugin’s use of a predefined list of user metadata keys that should not be manipulated. Attackers were able to trick the plugin by exploiting differences in how the Ultimate Member plugin and WordPress handle metadata keys.

To mitigate the risk, security researchers strongly advise users to disable the Ultimate Member plugin until a comprehensive patch is available. WP.cloud hosts, including WordPress.com and Pressable.com, have implemented a platform-level patch to help alleviate the vulnerability for sites hosted on their platforms.

spot_imgspot_img

Related articles

Albanese raised concerns over China’s Pacific ballistic missile test in meeting with PM Modi

Melbourne, July 9: Australian Prime Minister Anthony Albanese, during his meeting with PM Narendra Modi in Melbourne on...

Dr Shivaraj takes charge as Rajiv Gandhi University VC; Guv calls for research excellence

Itanagar, July 9: Renowned academician and retired Professor of Chemistry at Osmania University, Hyderabad, Shivaraj, on Thursday, assumed...

ACA announces players’ pool for inaugural Assam Premier League auction

GUWAHATI, July 9: The Assam Cricket Association (ACA) has announced the players’ pool for the inaugural edition of...

Massive Melbourne reception for PM Modi bowls over Albanese, Victorian Premier

Melbourne, July 9: Thousands of people gathered at Melbourne's Marvel Stadium on Thursday evening, local time, to welcome...