Authors of the Ultimate Member plugin have released version 2.6.7 with a patch for a privilege escalation vulnerability. Last week WPScan reported that Ultimate Member had still not fully patched the vulnerability after multiple inadequate attempts. There was evidence that it was being actively exploited in the wild.
Working through the complexities of this security issue, WPScan researcher Marc Montpas opened a ticket on WordPress trac, identifying an issue with the meta key field in the usermeta table using accent insensitive collations:
Looking at the latest string of vulnerability issues that came up related to the Ultimate Member plugin I discovered that the usermeta table has an accent insensitive collation for the meta_key
field. This results in queries for wp_cãpăbilitiës
to return the actual wp_capabilities
row! See update_metadata()
function in wp-includes/meta.php
Imagine the attack surface this brings. In fact, don’t imagine, just look at the recent attacks in the wild.
This particular issue made it more difficult to fully patch the vulnerability in question. Ultimate Member released version 2.6.7 on July 1, 2023, which whitelists for metakeys the plugin stores while sending forms. The plugin’s security advisory details a few other changes that may affect third-party developers:
2.6.7 also separates form settings data and submitted data and operates them in 2 different variables.
[It] includes some significant changes to how forms submissions are handled. This may cause 3rd-party modifications to stop working. For Third-party developers, please update your customizations to support the new changes in the latest version
Ultimate Member recommends users review and delete any unknown administrator accounts, reset all user passwords including the admin, enable SSL and backups, and send any advisories to site members and/or customers about the incident. The plugin’s developers are working on releasing a feature inside the plugin that will enable the website admin to reset passwords for all users, but it is still being finalized:
The reason for this is a site using our plugin may have been hacked or injected with malware that sniffs login inputs, because this vulnerability issue is prone to these attacks, we recommend to reset passwords after updating with a security patch. This is to ensure the best protection for your website user’s passwords.
All Ultimate Member users should update to the latest available version, 2.6.7, which has the patch for the vulnerability. The plugin’s developers are awaiting more feedback from WPScan and are evaluating all their extensions to ensure they are secure.