Vulnerability Management, Identity

Ongoing attacks abusing critical WordPress bug could hit over 200K sites

Share

SecurityWeek reports that over 200,000 WordPress sites using the Ultimate Member plugin could be vulnerable to ongoing attacks exploiting a critical privilege escalation flaw, tracked as CVE-2023-3460, which began earlier this month. Such attacks were identified and reported by at least two WordPress site owners. Operational differences between the blocklist logic of Ultimate Member and the metadata key management of WordPress have resulted in the vulnerability, which has been leveraged by threat actors to enable unnecessary metadata key updates and allow the registration of additional user accounts with the administrator role, according to WPScan. Despite the release of patches for the security bug in the two most recent versions of the Ultimate Member, a complete fix has not yet been achieved, prompting recommendations to disable the plugin to curb potential attacks, as well as scour for possible rogue accounts by conducting a site-wide audit.

Related

Several Cisco NX-OS flaws addressed

Attackers could leverage the issue — which impacts Nexus 3000, 7000, and 9000 series switches with vulnerable NX-OS versions with DHCPv6 activated and are in standalone NX-OS mode — to facilitate continuous crashes of the dhcp_snoop process and a denial-of-service condition.

Google beefs up Chrome bug bounty program

Higher rewards of up to $250,000 will be given by Google for the discovery of memory corruption flaws in the Chrome browser shown to achieve remote code execution using a non-sandboxed process as part of a more robust vulnerability reward program.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.