Researchers have discovered critical privilege-escalation vulnerabilities in a WordPress plugin installed in 100k websites.
The three flaws in Ultimate Member were detected by Wordfence's Threat Intelligence Team, which described them as "critical and severe" and "easy to exploit."
By abusing the flaws, an attacker could escalate their privileges to those of an administrator and completely take over a WordPress site.
"Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware," noted researchers.
Ultimate Member is a free user profile plugin deployed to create online communities and membership sites with WordPress. It allows site owners to create custom roles and manage the privileges of site members.
"We discovered that the user registration form lacked some checks on submitted user data," wrote researchers.
"This oversight made it possible for an attacker to supply arbitrary user meta keys during the registration process that would update those meta keys in the database."
Researchers found the first flaw on October 19, 2020, and reached out to the plugin's developer on October 23.
"After establishing an appropriate communication channel, we provided the full disclosure details on October 26, 2020," said researchers.
The developer acted swiftly, sending Wordfence a copy of the first intended patch for testing on October 26.
"We confirmed the patch fixed one of the vulnerabilities, however, two still remained," said researchers.
The remaining flaws were fixed with an updated copy provided by the developers to Wordfence three days later. A patched version of Ultimate Member, 2.1.12, was released on October 29, 2020.
“The privilege escalation vulnerabilities found in the WordPress Ultimate Member plugin demonstrate the continued risks of plugins to any web application making them a regular target for attackers. Just one compromised third-party plugin can infect tens of thousands of websites in one stroke," commented Ameet Naik, security evangelist at PerimeterX.
"Businesses must understand the risks imposed by third-party WordPress plugins and must secure their websites using web application firewalls, as well as client-side visibility solutions that can reveal the presence of malicious code on their sites.”