A security vulnerability puts 200,000 WordPress websites at risk.

According to The Hacker News , the vulnerability, with tracking code CVE-2023-3460 (CVSS score 9.8), exists in all versions of the Ultimate Member plugin (extension), including the latest version (2.6.6) released on June 29, 2023.

Ultimate Member is a popular plugin that helps create user profiles and communities on WordPress websites. This utility also provides account management features.

WPScan, a WordPress security company, stated that this security vulnerability is very serious, allowing attackers to exploit it to create new user accounts with administrative privileges, giving hackers complete control over affected websites.

Details about the vulnerability were withheld due to concerns about abuse. Security experts from Wordfence described that although the plugin has a list of banned keys that users cannot update, there are simple ways to bypass the filters, such as using forward slashes or character encoding in the values ​​provided in versions of the plugin.

This security vulnerability was disclosed after reports emerged of fake administrator accounts being added to affected websites. This prompted plugin developers to release partial fixes in versions 2.6.4, 2.6.5, and 2.6.6. A new update is expected to be released in the coming days.

Ultimate Member stated in its latest release that a privilege escalation vulnerability, exploited through UM Forms, allows unauthorized individuals to create administrator-level WordPress users. However, WPScan pointed out that the patches are incomplete and several methods to bypass them have been found, meaning the vulnerability remains exploitable.

The vulnerability is being exploited to register new accounts under the names apads, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer to upload malicious plugins and themes through the website's admin panel. Ultimate Member users should disable plugins until this security vulnerability is fully patched.