- Ultimate Member, a WordPress plugin with over 200,000 active installations, has had a security vulnerability exploited by hackers.
- The vulnerability allowed hackers to gain admin-level privileges to all the user’s accounts and websites, even after a patch intended to stop them was released on June 28th.
Ultimate Member is a popular membership plugin allowing users to create subscription sites and membership areas for their visitors. However, a fatal flaw was discovered in which visitors could essentially give themselves Administrator clearance across the site, giving them full access to the site’s information and also the original owner’s personal information.
WordPress users rely on plugins for most of their website’s features, so potential safety flaws in one could expose flaws in others, which is a scary reality that WordPress users had to face in light of this news.
Wordfence, a global team of WordPress security experts and analysts, described the steps the hackers were taking to get Administrator access – the highest level of clearance on a WordPress site – as “trivial”.
The Ultimate Member publishers found the patch by late June 2023, but by that point, it was too late. An update patch released on the 28th of June was intended to fix it, but Wordfence analysts later revealed that it had done nothing, stating:
“Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing”
The Ultimate Member publishers issued a public apology on behalf of those users affected, saying that they had
“released several updates since the disclosure as we worked through the vulnerabilities”.
As of yet, the exploits are still ongoing. The current advice for those that have the plugin is to uninstall it immediately.