Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Active Exploitation of Zero-day Vulnerability in Ultimate Member Plugin
Alerts

Active Exploitation of Zero-day Vulnerability in Ultimate Member Plugin

6 July 2023

Ultimate Member has released security updates to address a critical vulnerability (CVE-2023-3460) in its Ultimate Member plugin. The plugin is used on WordPress sites to facilitate registration and community creation. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful exploitation of the privilege escalation vulnerability could allow an unauthenticated attacker to create user accounts with administrator capabilities.

The vulnerability affects Ultimate Member plugin versions 2.6.6 and earlier.

Users and administrators of affected plugin versions are advised to update to the latest versions immediately.

Users and administrators of affected plugin versions are also advised to adopt the following measures:

  • Review all site administrators on the WordPress website and delete unknown administrator accounts

  • Reset all user account passwords, including administrator account passwords

  • Install WordPress security plugins to detect and log suspicious activities

  • Perform regular backups of WordPress database and site files

More information is available here:

https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions

https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7

https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/

https://securityonline.info/cve-2023-3460-an-ongoing-exploitation-of-wordpress-plugins-privilege-escalation-flaw/ 

Back to top