Vulnerability Management, Identity

Ongoing attacks abusing critical WordPress bug could hit over 200K sites

SecurityWeek reports that over 200,000 WordPress sites using the Ultimate Member plugin could be vulnerable to ongoing attacks exploiting a critical privilege escalation flaw, tracked as CVE-2023-3460, which began earlier this month. Such attacks were identified and reported by at least two WordPress site owners. Operational differences between the blocklist logic of Ultimate Member and the metadata key management of WordPress have resulted in the vulnerability, which has been leveraged by threat actors to enable unnecessary metadata key updates and allow the registration of additional user accounts with the administrator role, according to WPScan. Despite the release of patches for the security bug in the two most recent versions of the Ultimate Member, a complete fix has not yet been achieved, prompting recommendations to disable the plugin to curb potential attacks, as well as scour for possible rogue accounts by conducting a site-wide audit.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.