Exposed: Hackers Manipulate Unpatched WordPress Plugin

Unpatched WordPress

As website design and SEO experts that work closely with managed service providers and IT clients, we believe that we should inform people about the latest in cybersecurity threats, especially when it comes to websites built in WordPress. A recently unpatched WordPress plugin, Ultimate Member, has left as many as 200,000 WordPress websites at risk of cyber attacks. 

The Ultimate Member Unpatched WordPress Plugin

The flaw, identified as CVE-2023-3460 and carrying a high CVSS score of 9.8, affects all versions of the Ultimate Member plugin, including the latest release, version 2.6.6. This plugin, known for enabling user profiles and community creation, as well as account management, has unfortunately become a target for malicious actors.

Leading WordPress security firm WPScan has described this situation as a very serious issue. Unauthenticated attackers have the potential to exploit this vulnerability by creating new user accounts with administrative privileges. 

This unauthorized access grants them complete control over affected sites, posing a significant threat to your website’s integrity and security.

While specific details about the flaw have not been disclosed due to ongoing abuse, it stems from inadequate blocklist logic. Attackers can exploit this vulnerability by modifying the wp_capabilities user meta value of a new user, effectively elevating their privileges to that of an administrator.

Wordfence researcher Chloe Chamberland explains that although the plugin has a pre-defined list of banned keys that users should not be able to modify, there are ways to bypass these filters. Attackers can leverage various cases, slashes, and character encoding to supply a meta key value that exploits vulnerable versions of the plugin.

Instances of rogue administrator accounts being added to affected sites have raised alarm bells. To address the issue, the plugin maintainers have released partial fixes in versions 2.6.4, 2.6.5, and 2.6.6. However, it is important to note that WPScan has deemed these patches incomplete, with several methods to circumvent them still being discovered. This means the vulnerability remains actively exploitable.

In observed attacks, threat actors have utilized the flaw to register new accounts under various names, including apadmins, se_brutal, segs_brutal, wpadmins, wpengine_backup, and wpenginer. Once inside, they upload malicious plugins and themes through the site’s administration panel, further compromising website security.

What You Should Do

We strongly advise users of the Ultimate Member plugin to disable it immediately until a comprehensive patch is released. Additionally, it is crucial to conduct an audit of all administrator-level users on your website to identify any unauthorized accounts that may have been added.

The Ultimate Member authors have responded to this situation by releasing version 2.6.7 of the plugin on July 1. This update addresses the actively exploited privilege escalation flaw. The authors have also included a new feature that allows website administrators to reset passwords for all users, adding an extra layer of protection.

In their advisory, Ultimate Member maintainers explain that version 2.6.7 introduces whitelisting for meta keys used during form submissions. They have also separated form settings data and submitted data, treating them as two distinct variables. These enhancements aim to mitigate the vulnerability and safeguard your website from potential attacks.

Next Steps

At BigOrange Marketing, we prioritize the security and success of our clients. We urge you to take immediate action by disabling the Ultimate Member plugin and applying the necessary updates as soon as they become available. 

By doing so, you’ll ensure the continued integrity and safety of your WordPress website.Want more WordPress expertise? Contact us today for a non-salesy discussion on how creating the right StoryBranded website could take your organization to the next level.

BigOrange Team

BigOrange Team

At BigOrange Marketing our team helps dozens of companies win millions of dollars in business while delivering what others just promise. We provide websites and complete outsourced digital marketing plans to help you get found, get results and get your time back.

Share the knowledge

Effective Inbound Marketing Strategy

10 Steps to Ensure Your Inbound Marketing Works: A Citrus-Inspired Guide

In the world of marketing, an effective inbound marketing strategy is like tending to a grove of fruitful orange trees. To help you squeeze the…

Explore this Topic
How Do You Find Leads for IT Services?

How Do You Find Leads for IT Services? And Other Burning IT Marketing Questions

When it comes to MSP marketing, one of the top questions is “how do you find leads for IT services?” To answer this and other…

Explore this Topic
MSP Industry Should Share Phishing - Here's Why

Why the MSP Industry Needs to Share Phishing Attempts

In today’s digital landscape, where cyber threats are becoming increasingly sophisticated, managed service providers (MSPs) play a critical role in safeguarding businesses against cyberattacks. Phishing…

Explore this Topic
Boost Search Engine Optimization for Manufacturers

Step Up Your Marketing Strategy: Search Engine Optimization for Manufacturers

For modern businesses, mastering search engine optimization (SEO) is no longer just a choice; it’s a necessity. Manufacturers, often immersed in the intricacies of production,…

Explore this Topic
Google Analytics Universal vs GA4 for Developers

Google Analytics Universal vs GA4: What It Means for Developers

Google Analytics has sunsetted their Universal Analytics Model and replaced it with GA4. So, what’s the difference between Google Analytics Universal vs GA4 and what…

Explore this Topic
Managed Services Providers Security

How Managed Services Providers Can Market Their SOC Services

If you’re a managed services provider you’ve probably felt the pressure or need to offer a security operations center (SOC) to your product offerings. Whether…

Explore this Topic
Digital Marketing Podcast Evolvepreneur Margee Moore

BigOrange CEO Shares Entrepreneur Story on Digital Marketing Podcast Episode

Digital marketing podcast Evolvepreneur, hosted by Mechelle McDonald, recently featured Margee Moore on an episode of After Hours to speak on the many ways that…

Explore this Topic
PCI Compliance Email from QuickBooks - What Do I Do

PCI Compliance Email from QuickBooks: What Do You Need to Do?

If you’re a business owner, you likely use QuickBooks to manage your finances and run things efficiently and effectively. Recently, a PCI compliance email from…

Explore this Topic

The 22 Best Digital Marketing Ideas to Drive Sustainable Lead Generation in 2024


Ready to grow in 2024? A good plan has to be comprehensive and filled with the best ingredients--from SEO to content, social media to paid boosting. 

Here’s what you’ll learn:

  • How to target efficiently with personas
  • How to assess if your website is hurting or helping you
  • How a content marketing plan will help you rank with Google through SEO
  • The social media tactics you need and the ones you can skip