WordPress Plugin Bug Leaves Over 200,000 Websites at Risk of Hacking: Report

Over 200,000 WordPress websites are currently vulnerable to hacking as a result of a serious security flaw that has not yet been fixed, and is actively being exploited by malicious individuals.

According to WordPress security company WPScan, the flaw is found in the Ultimate Member plugin, a free user profile WordPress plugin that makes it easy to create powerful online communities and membership sites using WordPress.

“This is a very serious problem because unauthenticated attackers could exploit this vulnerability to create new user accounts with administrative privileges, giving them the authority to take full control of the affected sites,” the security firm warned.

“There was no full fix for this issue,” and worryingly, “there were indications that malicious actors were actively exploiting this issue,” the company added.

In response to the vulnerability report, the creators of the plugin promptly released a new version 2.6.4, which was intended to fix the problem.

“However, while investigating this update, we found numerous methods to work around the proposed patch, suggesting that the issue is still fully exploitable,” the WPScan team noted.

The plugin works by using a predefined list of user metadata keys that users should not manipulate.

It uses this list to check if users try to register these keys when creating an account.

“Unfortunately, differences in the Ultimate Member blacklist logic and how WordPress handles metadata keys allowed attackers to trick the plugin into updating some it shouldn’t,” the team said.

Security researchers recommend that users disable the Ultimate Member plugin until a patch is available to fully address this security issue.

Sites hosted on WP.cloud, such as WordPress.com and Pressable.com, have received a platform-level patch to mitigate the vulnerability.