Shillong, July 2: A critical unpatched security vulnerability in the Ultimate Member plugin has put more than 2 lakh WordPress websites at risk of hacking. The plugin, designed to create user profiles and online communities, has a bug that allows unauthenticated attackers to create new user accounts with administrative privileges. This enables them to gain complete control over affected sites.
WordPress security firm WPScan highlighted the severity of the issue and warned that the vulnerability was actively exploited by malicious actors. The plugin’s creators released a new version, 2.6.4, in an attempt to address the problem. However, upon investigation, the WPScan team discovered that the proposed patch could be bypassed, rendering the issue still fully exploitable.
The vulnerability stems from the plugin’s use of a predefined list of user metadata keys that should not be manipulated. Attackers were able to trick the plugin by exploiting differences in how the Ultimate Member plugin and WordPress handle metadata keys.
To mitigate the risk, security researchers strongly advise users to disable the Ultimate Member plugin until a comprehensive patch is available. WP.cloud hosts, including WordPress.com and Pressable.com, have implemented a platform-level patch to help alleviate the vulnerability for sites hosted on their platforms.