Hackers are actively exploiting a critical unpatched flaw in a popular WordPress Plugin called Ultimate Member, used for user profiles and membership management. The flaw, identified as CVE-2023-3460 with a CVSS score of 9.8, allows the attackers to create secret admin accounts on targeted websites. The plugin currently has over 200,000 active installations.

Researchers from WPScan, a WordPress security firm, discovered the presence of unauthorized administrator accounts on the affected websites. By exploiting the vulnerability, the attackers can generate new user accounts with administrative privileges, thereby gaining complete control over the compromised sites.

According to the researchers, the underlying cause of the issue is using a predefined list of user metadata keys that should not be modified. The plugin relies on this list to check if users are attempting to register these keys while creating a new account. However, the researchers have found this security mechanism to be insecure and susceptible to bypass.

The researchers further explained that this vulnerability is a common security anti-pattern, where blocking known malicious inputs (blocklists) can lead to unintended security loopholes. They suggested using allowlists, which only approve specific inputs and reject anything not on the list, as a more robust security measure. In the case of Ultimate Member, differences in how the plugin’s blocklist logic and WordPress treat metadata keys have allowed attackers to deceive the plugin into updating restricted keys, such as “wp_capabilities,” which store a user’s role and capabilities.

While WPScan did not provide specific details about the attacks, they shared Indicators of Compromise (IoCs) associated with them. Another security research group, WordFence, also observed similar attacks and confirmed that the flaw has not been adequately addressed in the latest available version of the plugin (version 2.6.6 at the time of writing).

WordFence highlighted that despite the plugin having a predefined list of banned keys that users should not be able to update, there are straightforward methods to bypass the implemented filters. By leveraging various cases, slashes, and character encoding in the meta key value, attackers can exploit vulnerable versions of the plugin. This unpatched vulnerability poses a significant risk, potentially allowing unauthorized users to gain control of any website with the plugin installed. As a precaution, WordFence advised verifying that the Ultimate Member plugin is not installed on websites and recommending others take the same action until an official patch is made available.

In light of the ongoing exploitation and the absence of a definitive fix, website administrators utilizing the Ultimate Member plugin are advised to disable it until a patch is released.