WordPress Plugin Ultimate Member is vulnerable to a privilege escalation vulnerability that allows attackers to gain administrator access to the wordpress site. The plugin claims that it is the number 1 user profile and membership plugin for wordpress, and it is used for membership access management for online communities and membership sites. It is a popular plugin with over 200,000 active installations. The technical details of the flaw, tracked as CVE-2023-3460, are being withheld for now. The plugin’s maintainers have attempted to address the vulnerability in two versions, but security researchers were able to circumvent the update in multiple ways. The most recent fix, version 2.6.7, which was released over the weekend has fixed the issue and anyone using the plugin should update immediately as this vulnerability is actively being exploited in the wild.
This segment was created for the It’s 5:05 podcast