In a shocking statement, Wordfence, a well-known security company, recently discovered a critical zero-day vulnerability in a widely used “user login system” plugin. Final Member On the WordPress blogging platform. This vulnerability allows hackers to exploit their accounts and gain elevated administrative privileges, effectively giving them full control over targeted websites.

200,000 websites already used the plugin

The vulnerability, identified as CVE-2023-3460, received a risk score of 9.8, indicating its severity. This vulnerability could allow cybercriminals to manipulate the wp_capabilities configuration data of user accounts, bypassing the plugin’s built-in security measures. By setting their own account as an administrator, hackers can gain full control over compromised websites.

The plugin developer responded quickly to the issue. On June 26, they released Ultimate Member version 2.6.3, which provides partial mitigation of the vulnerability. Then, on July 1, version 2.6.7 was released, which offers a full fix for the vulnerability.

Unfortunately, it turned out that over 200,000 WordPress websites have activated the Ultimate Members plugin. Given the potential delay in plugin updates due to large numbers of downloads and insufficient information distribution, these websites are extremely vulnerable to exploits by attackers.

Webmasters and website owners are strongly advised to take immediate action by updating Ultimate Member plugins to the latest version 2.6.7 to protect their websites from potential attacks. Additionally, it is imperative to remain vigilant and monitor for any suspicious activity or unauthorized access attempts.

Experts stress the importance of promptly removing software vulnerabilities and updating the latest security patches. Updating plug-ins and software regularly is an important practice that ensures website integrity and protection against new cyber threats. Source