WordPress Plugin Ultimate Members

Wordpress Plugin Vulnerability

WordPress Plugin Ultimate Members

If you are using the Ultimate Members plugin for WordPress, then you really need to get it updated soon. Versions that are lower than 2.6.7 are subjected to a vulnerability that will allow regular users to become admins of the website. This means that someone could change the data on your website without any restrictions.

In geekspeak:

A critical vulnerability in the plugin (CVE-2023-3460) allows an unauthenticated attacker to register as an administrator and take full control of the website. The problem occurs with the plugin registration form. In this form, it appears possible to change certain values for the account to be registered. This includes the wp_capabilities value, which determines the user’s role on the website.

The plugin does not allow users to enter this value, but this filter turns out to be easy to bypass, making it possible to edit wp_capabilities and become an admin.

In English for the rest of us:

A vulnerability was discovered that would allow a visitor to your WordPress website using Ultimate Members to be able to elevate their access to that of an administrator. Users at the administrator level have superpowers or the ability to change any content on the website. With this access, they would also be able to see any information in the membership database such as the user’s contact information, and might have access to payment information as well.

The good news is that the developer of the plugin has already issued a fix or patch that can be applied and this will fix the vulnerability. Please note that often these types of emergency patches are often followed with another fix to fix something that the first fix didn’t fix. This often happens when an emergency fix like this is required. They rush and miss something.