Vulnerability Management, Identity
Ongoing attacks abusing critical WordPress bug could hit over 200K sites
SecurityWeek reports that over 200,000 WordPress sites using the Ultimate Member plugin could be vulnerable to ongoing attacks exploiting a critical privilege escalation flaw, tracked as CVE-2023-3460, which began earlier this month.
Such attacks were identified and reported by at least two WordPress site owners. Operational differences between the blocklist logic of Ultimate Member and the metadata key management of WordPress have resulted in the vulnerability, which has been leveraged by threat actors to enable unnecessary metadata key updates and allow the registration of additional user accounts with the administrator role, according to WPScan.
Despite the release of patches for the security bug in the two most recent versions of the Ultimate Member, a complete fix has not yet been achieved, prompting recommendations to disable the plugin to curb potential attacks, as well as scour for possible rogue accounts by conducting a site-wide audit.
An In-Depth Guide to Identity
Get essential knowledge and practical strategies to fortify your identity security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds