Researchers have discovered critical privilege-escalation vulnerabilities in a WordPress plugin installed in 100k websites.
The three flaws in Ultimate Member were detected by Wordfence's Threat Intelligence Team, which described them as "critical and severe" and "easy to exploit."
By abusing the flaws, an attacker could escalate their privileges to those of an administrator and completely take over a WordPress site.
"Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware," noted researchers.
Ultimate Member is a free user profile plugin deployed to create online communities and membership sites with WordPress. It allows site owners to create custom roles and manage the privileges of site members.
"We discovered that the user registration form lacked some checks on submitted user data," wrote researchers.
"This oversight made it possible for an attacker to supply arbitrary user meta keys during the registration process that would update those meta keys in the database."
Researchers found the first flaw on October 19, 2020, and reached out to the plugin's developer on October 23.
"After establishing an appropriate communication channel, we provided the full disclosure details on October 26, 2020," said researchers.
The developer acted swiftly, sending Wordfence a copy of the first intended patch for testing on October 26.
"We confirmed the patch fixed one of the vulnerabilities, however, two still remained," said researchers.
The remaining flaws were fixed with an updated copy provided by the developers to Wordfence three days later. A patched version of Ultimate Member, 2.1.12, was released on October 29, 2020.
“The privilege escalation vulnerabilities found in the WordPress Ultimate Member plugin demonstrate the continued risks of plugins to any web application making them a regular target for attackers. Just one compromised third-party plugin can infect tens of thousands of websites in one stroke," commented Ameet Naik, security evangelist at PerimeterX.
"Businesses must understand the risks imposed by third-party WordPress plugins and must secure their websites using web application firewalls, as well as client-side visibility solutions that can reveal the presence of malicious code on their sites.”
We're Datek Solutions
Since 1998 we have been managing IT support, solutions and strategy for a range of clients. We have won awards for our excellent customer service and pride ourselves on being transparent. What you see, is what you get.
What makes us different? We don’t use a one-size fit all approach. We get to know your business and everyone in it, what it needs and how we can support you to give the best solutions at the best possible prices.
Above all this, we are committed to keeping it simple for you. If there’s a solution that your company needs, or you already have and it’s essential we support it, we make sure we know everything there is to know about it.
Contact us on 01753 540000 or email us at contactus@datek.co.uk.
News Source: https://www.infosecurity-magazine.com/