Subj : This WordPress plugin grants hackers 'ultimate' admin access to y To : All From : TechnologyDaily Date : Mon Jul 03 2023 13:30:03 This WordPress plugin grants hackers 'ultimate' admin access to your site Date: Mon, 03 Jul 2023 12:03:22 +0000 Description: Hackers exploiting this vulnerability can add themselves as a WordPress admin to your site, so patch now. FULL STORY ====================================================================== Thousands of WordPress sites could be at risk as a vulnerability in the Ultimate Member plugin gets exploited, but a quick fix will stop your site from being taken over. The plugin, which has amassed more than 200,000 downloads on the platform, is designed to support user signups and memberships on WordPress websites. The vulnerability which is being tracked as CVE-2023-3460 has been awarded a score of 9.8, making it critical. It is believed to have impacted all versions of the plugin. Ultimate Member plugin is getting a patch ASAP WordPress support platform user softwaregeek posted their concerns about the vulnerability, which they said allows an unauthenticated attacker to register as an administrator and take full control of the website. Read more > These are the best malware removal tools around > WordPress force installs update on 5 million sites following security worry > Top WordPress ecommerce plugin has a major security flaw, so patch now An attacker can bypass a filter that allows them to amend the wp_capabilities record, making themselves a site admin. Plugin Support team member andrewshu confirmed that versions 2.6.4, 2.6.5, and 2.6.6 went some way to closing the vulnerability, but users were still at risk. Wordfence , which is credited with first sounding the alarm bells, urged the plugins users to uninstall the plugin until a fix had been issued. The company also announced that it had released a firewall rule to help protect some of its customers. Later, andrewshu confirmed that version 2.6.7 had been released as a fix. Details in the plugins changelog confirm that this is the case: Fixed: A privilege escalation vulnerability used through UM Forms. Known in the wild that vulnerability allowed strangers to create administrator-level WordPress users. In the notes, the developer urged users to ensure that they have now updated to version 2.6.7, and to check admin-level users on their site in case they have been a victim of the exploit. Check out our roundup of the best WordPress hosting services ====================================================================== Link to news story: https://www.techradar.com/pro/this-wordpress-plugin-grants-hackers-ultimate-ad min-access-to-your-site --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .