Over 2 lakh websites vulnerable to hacking due to WordPress plugins: Report

Over 200,000 WordPress websites utilising the Ultimate Member plugin are currently exposed to a major hacking threat, as reported by WPScan, a WordPress security firm. The vulnerability discovered by WPScan affects the widely used Ultimate Member plugin, which enables the creation of user profiles and online communities on WordPress sites.  

The security firm has issued a warning, highlighting the potential for unauthorised attackers to exploit this vulnerability to create new user accounts with administrative privileges. Such access grants them full control over the compromised websites, posing a significant risk to site owners and their valuable data.  

Furthermore, there are indications of active exploitation of this vulnerability by malicious actors. In response to this, the developers of the Ultimate Member plugin have released version 2.6.4 in an effort to address the problem. However, despite the release of the new version, the WPScan team has identified multiple methods to bypass the suggested patch, indicating that the vulnerability remains fully exploitable.  

The functionality of the plugin relies on a predefined list of user metadata keys, which users are advised against manipulating. By cross-referencing this list, the plugin verifies whether users are trying to register these keys when creating an account.  

The report said, “Unfortunately, differences in how the Ultimate Member’s blocklist logic and how WordPress treats metadata keys made it possible for attackers to trick the plugin into updating some it shouldn’t, like “wp_capabilities”, which is used to store a user’s role and capabilities.”  

Security researchers are advising users to disable the Ultimate Member plugin as a precautionary measure until a comprehensive patch is made available to address a security vulnerability affecting websites. This advice comes amidst growing concerns about the cybersecurity landscape of popular WordPress plugins.  

In a recent development, WordPress has issued a warning regarding the page-builder Elementor. Patchstack, a group of security researchers, released a report outlining a troubling cybersecurity issue associated with the WordPress plugin Essential Addons for Elementor.  

According to the report, Essential Addons for Elementor offers users a variety of pre-designed WordPress blocks and templates for convenient website creation and updates.