Ultimate Member is a WordPress plugin that facilitates user sign-ups and building communities on WordPress sites. It currently has over 200,000 active installations according to its page in the WordPress plugin directory.
A zero-day vulnerability in Ultimate Member has been exploited by threat actors to compromise numerous websites. The vulnerability, tracked as CVE-2023-3460, has a CVSS v3.1 score of 9.8, making it a critical vulnerability.
The vulnerability allows threat actors to set arbitrary user meta values on their accounts, including the wp_capabilities user meta value. This value defines the user’s role on the website. By setting this value to administrator, threat actors can gain full control of the vulnerable website.
Wordfence, a website security company, has discovered the vulnerability and has released a firewall rule to protect its clients from this threat. However, Wordfence recommends that users uninstall Ultimate Member until the vendor releases a patch for the vulnerability.
If you are using Ultimate Member, you should check your website for signs of compromise. These signs include the appearance of new administrator accounts, the usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, or segs_brutal, and log records showing these IP addresses that known to be malicious accessed the Ultimate Member registration page: 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, and 126.96.36.199.
If you find any signs of compromise, you should immediately uninstall Ultimate Member and contact your website host for assistance.