These WordPress plugin bugs could jeopardize hundreds of thousands of sites

News
By published

WordPress sites running the Ultimate Member plugin should update to version 2.1.12 immediately

WordPress logo
(Image credit: Pixabay)

WordPress site owners currently using the Ultimate Member plugin are being urged to update to the latest version in order to patch three serious security flaws that could be exploited to launch site takeover attacks.

Ultimate Member is a popular WordPress plugin designed to help simplify the task of creating and managing user profiles which is currently installed on over 100,000 websites. The plugin enables site owners to create a user based website with WordPress with custom privileges for different users.

However, the security firm Wordfence recently disclosed three high-severity vulnerabilities in the plugin that could be exploited by an attacker to escalate their privileges as well as take over any WordPress site running versions of Ultimate Member before version 2.1.12.

All three vulnerabilities have now been patched with the release of Ultimate Member version 2.1.12 back in late October and WordPress site owners should update the plugin immediately to avoid falling victim to any potential attacks.

Privilege escalation vulnerabilities

Of the three vulnerabilities disclosed by Wordfence in its new report, two have a maximum CVSS severity rating of 10/10 while the other has a critical CVSS score of 9.8.

The two high severity vulnerabilities can be exploited for unauthenticated privilege escalation via user meta by granting admin access upon registration and user roles by selecting an admin role during registration. The critical vulnerability is a bit less severe as an attacker would need wp-admin access to a site's profile.php page to exploit though it still allows an authenticated attacker to easily elevate their privileges to admin.

Although Ultimate Member released an updated version of its plugin which patched all three vulnerabilities in October, 34.6 percent of the plugin's active users are still running outdated versions according to data from WordPress.org.

Now that all three vulnerabilities have been publicly disclosed, cybercriminals will likely try to launch attacks against WordPress sites running vulnerable versions of the plugin which is why all Ultimate Member plugin users should update their installations to the latest version as soon as possible.

Via BleepingComputer

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
Latest in News
An image of the Nintendo Switch 2
Nintendo Switch 2 pre-orders will start on April 2 according to Best Buy Canada
Person printing
Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
Pro-Ject A1.2 in black, playing a vinyl record in a hi-fi listening room
Pro-Ject's new fully-automatic turntable could be the buy of Record Store Day 2025
Intergalactic: The Heretic Prophet
Intergalactic: The Heretic Prophet reportedly won't release until after 2026, as Neil Druckmann says that staff 'are playing it at the office' right now - but I don't think I can wait that long
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'
More about security
A digital representation of a lock

NYU website defaced as hacker leaks info on a million students
NHS

NHS IT supplier hit with major fine following ransomware attack
Person printing

Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
See more latest
Most Popular
Person printing
Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
An image of the Nintendo Switch 2
Nintendo Switch 2 pre-orders will start on April 2 according to Best Buy Canada
Freddie Prinze Jr., Sarah Michelle Gellar, Matthew Liliard and Linda Cardinelli in Scooby Doo 2: Monsters Unleashed
Netflix is firing up the Mystery Machine with a live action Scooby-Doo series
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
Sama virtual assistant
Speak, Book, Fly. Qatar Airways debuts industry-first AI travel agent, Sama
An Apple Lumon Terminal Pro computer next to a keyboard with Severance-themed keycaps
You sadly can't buy Apple's Lumon Terminal Pro computer, but here's where to get the Severance-style keycaps
Pro-Ject A1.2 in black, playing a vinyl record in a hi-fi listening room
Pro-Ject's new fully-automatic turntable could be the buy of Record Store Day 2025
Intergalactic: The Heretic Prophet
Intergalactic: The Heretic Prophet reportedly won't release until after 2026, as Neil Druckmann says that staff 'are playing it at the office' right now - but I don't think I can wait that long
Kindle de Amazon
The latest Kindle update finally fixes page turning – and adds the perfect reading tool for my sieve-like brain
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news