Are you using the Ultimate Members plugin for your WordPress website? Then update the plugin to the latest version as soon as possible.

In an extensive blog, Sophos warns of Ultimate Members, a widely used plugin for WordPress to manage user accounts. A vulnerability in the plugin allows outsiders to log in to your website as an administrator. This could give someone with malicious intent a free hand to take over your site entirely.

More specifically, the bug is in the plugin’s registration form, explains a post on the WordPress support forum. Users can customize certain values ​​on the form, including their assigned role. Although an attacker cannot directly change their role to an administrator, the built-in control systems can be fooled by playing with the input values.

Lucky for the fourth time

In a reply to this forum post, an Ultimate Members developer states that his team is already working on a fix. Since a customer first reported it, the plugin has received three updates that have only partially resolved the issue. Two days ago, Ultimate Members rolled out version 2.6.7, which is intended to completely close the vulnerability. It is recommended to update to this version.

This update chain prompts Sophos researchers to compare it to the MOVEit vulnerability, which has been causing major problems for a month. Progress Software’s development teams have already attempted to fix the leak, but a new bug keeps popping up.

Leaky plugins

Vulnerabilities in WordPress plugins are common. With so many websites running on WordPress, such vulnerabilities often leave millions of websites vulnerable to attacks at once. Therefore, to keep your website healthy, it’s best to take the time to check that your plugins are still up to date, and don’t hesitate to remove poorly secured or buggy plugins.