June 30, 2023 By Bill Toulas
Hackers exploit a zero-day privilege escalation vulnerability in the 'Ultimate Member' WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts.
Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.
The exploited flaw, tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8 ("critical"), impacts all versions of the Ultimate Member plugin, including its latest version, v2.6.6.
While the developers initially attempted to fix the flaw in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, there are still ways to exploit the flaw. The developers have said they are continuing to work on resolving the remaining issue and hope to release a new update soon.
