CVE-2023-3460

Name of the Vulnerable Software and Affected Versions Ultimate Member WordPress plugin versions prior to 2.6.7

Description The issue allows attackers to create user accounts with arbitrary capabilities, effectively enabling them to create administrator accounts at will. This is being actively exploited. The plugin has over 200,000 active installations. Attackers are setting the wp capabilities user meta value to gain administrator privileges and full access to vulnerable sites. Despite attempts to fix the issue in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, ways to exploit it still exist.

Recommendations For Ultimate Member WordPress plugin versions prior to 2.6.7, update to version 2.6.7 or later to resolve the issue. As a temporary workaround, consider removing the Ultimate Member plugin until a patch is available. Restrict access to the wp capabilities user meta value to minimize the risk of exploitation. If a site has already been compromised, removal of the plugin will not be sufficient to mitigate the risk; a full scan for malware and deactivation of malicious admin accounts is necessary.