blog.wpscan.com Open in urlscan Pro
192.0.78.164 Public Scan

Back to summary

URL:
https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
Submission: On July 06 via api (July 6th 2023, 4:11:37 pm UTC) from IN — Scanned from DE

Form analysis
4 forms found in the DOM

<form id="commentform" class="comment-form">
  <iframe title="Comment Form"
    src="https://jetpack.wordpress.com/jetpack-comment/?blogid=195017074&amp;postid=1294&amp;comment_registration=0&amp;require_name_email=1&amp;stc_enabled=1&amp;stb_enabled=1&amp;show_avatars=1&amp;avatar_default=identicon&amp;greeting=Leave+a+Reply&amp;jetpack_comments_nonce=4692b51cf8&amp;greeting_reply=Leave+a+Reply+to+%25s&amp;color_scheme=light&amp;lang=en_US&amp;jetpack_version=12.3&amp;show_cookie_consent=10&amp;has_cookie_consent=0&amp;token_key=%3Bnormal%3B&amp;sig=afacb4f74a3320f023a43309bf6f90904a188d16#parent=https%3A%2F%2Fblog.wpscan.com%2Fhacking-campaign-actively-exploiting-ultimate-member-plugin%2F"
    name="jetpack_remote_comment" style="width: 100%; height: 75px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
  </iframe>
  <!--[if !IE]><!-->
  <script>
    document.addEventListener('DOMContentLoaded', function() {
      var commentForms = document.getElementsByClassName('jetpack_remote_comment');
      for (var i = 0; i < commentForms.length; i++) {
        commentForms[i].allowTransparency = false;
        commentForms[i].scrolling = 'no';
      }
    });
  </script>
  <!--<![endif]-->
</form>

GET https://blog.wpscan.com/

<form role="search" method="get" class="search-form" action="https://blog.wpscan.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

POST #

<form action="#" method="post" accept-charset="utf-8" data-blog="195017074" data-post_access_level="everybody" id="subscribe-blog-1">
  <p id="subscribe-email">
    <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-1"> Type your email… </label>
    <input type="email" name="email" required="required" class="no-border-radius  required" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 0px;border-width: 1px;" value="" id="subscribe-field-1" placeholder="Type your email…">
  </p>
  <p id="subscribe-submit">
    <input type="hidden" name="action" value="subscribe">
    <input type="hidden" name="blog_id" value="195017074">
    <input type="hidden" name="source" value="https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/">
    <input type="hidden" name="sub-type" value="subscribe-block">
    <input type="hidden" name="redirect_fragment" value="subscribe-blog-1">
    <button type="submit" class="wp-block-button__link no-border-radius" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0px; margin-left: 10px;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe
    </button>
  </p>
</form>

GET https://blog.wpscan.com/

<form role="search" method="get" class="search-form" action="https://blog.wpscan.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field show-placeholder" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
  <input type="hidden" name="orderby" value="relevance"><input type="hidden" name="order" value="DESC">
</form>

Text Content

Skip to content
Close collapsed

Menu expanded

HACKING CAMPAIGN ACTIVELY EXPLOITING ULTIMATE MEMBER PLUGIN

Jun 29 2023July 3, 2023

UPDATE (2023-07-03): A new version, 2.6.7, was released this weekend, and fixes
the issue. If you use Ultimate Member, update to this version as soon as
possible. You can find Ultimate Member’s incident postmortem here.

Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend
in compromised sites, where rogue new administrator accounts kept appearing in
the affected sites. After some investigation, we witnessed a post on the
WordPress.org support forums by Slavic Dragovtev discussing a potential security
issue, specifically a Privilege Escalation vulnerability, with the Ultimate
Member plugin (200,000+ active installs). Worryingly, there were indications
that this issue was being actively exploited by malicious actors.

In response to the vulnerability report, the creators of the plugin promptly
released a new version, 2.6.4, intending to fix the problem. However, upon
investigating this update, we found numerous methods to circumvent the proposed
patch, implying the issue is still fully exploitable.

Adding to the urgency of the situation, a look at our monitoring systems also
confirmed attacks using this vulnerability were indeed happening in the wild.

In light of our findings, we immediately contacted the plugin’s authors. We
shared our discoveries and offered our assistance to help them resolve the issue
as soon as possible.

This is a very serious issue: unauthenticated attackers may exploit this
vulnerability to create new user accounts with administrative privileges, giving
them the power to take complete control of affected sites.

PRIVILEGE ESCALATION VULNERABILITY IN ULTIMATE MEMBER

NameUltimate MemberPlugin
URIhttps://wordpress.org/plugins/ultimate-member/Authorhttps://ultimatemember.com/Affected
VersionsVersions lower than 2.6.7CVE IDCVE-2023-3460 WPScan
ID694235c7-4469-4ffd-a722-9225b19e98d7CVSSv3.19.8

At the time of writing, there is no complete fix to this issue. Hence, we’ll
provide only a brief overview of the reasons the code is vulnerable, and how
similar code should be fixed.

The plugin operates by using a pre-defined list of user metadata keys that users
should not manipulate. It uses this list to check if users are attempting to
register these keys when creating an account. This is a common security
anti-pattern, where blocking known harmful inputs (blocklists) might seem
intuitive, but is trickier than expected and often leaves room for security
bypasses.

Instead of blocklists, it’s generally recommended to use allowlists, which
approve specific inputs and reject anything that didn’t make it to the list.
This typically provides a more robust security measure.

Unfortunately, differences in how the Ultimate Member’s blocklist logic and how
WordPress treats metadata keys made it possible for attackers to trick the
plugin into updating some it shouldn’t, like “wp_capabilities”, which is used to
store a user’s role and capabilities.

INDICATORS OF COMPROMISE

We noticed several IP addresses actively attacking sites:

* 13.115.254.242
* 18.183.89.3
* 43.207.157.215
* 52.77.211.128
* 54.204.198.153
* 54.238.232.81
* 73.85.149.184
* 103.30.11.160
* 103.30.41.32
* 103.187.5.128
* 123.148.137.93
* 149.102.246.53
* 154.23.241.178
* 163.123.192.54
* 165.227.120.193
* 169.150.227.217
* 213.232.113.183

The typical attacks we are observing generally involve the following steps:

* An initial POST request is made to the plugin’s user registration page, which
is typically “/register.”
* The attacker then attempts to log in with the newly created account using the
“/wp-login.php” page.
* Finally, a malicious plugin is uploaded through the site’s administration
panel.

Common usernames for malicious accounts created during the recent attack wave:

* apadmins
* wpadmins
* wpenginer
* segs_brutal

Other indicators of compromise include malicious plugins, themes, and code
additions:

* Malicious plugins such as “yyobang” and backdoors such as “autoload_one.php”
added to legitimate plugins.
* Malicious themes such as “fing.”
* Modifications to the active theme’s functions.php, including attempts to
create a persistent user, “wpadminns.”

TIMELINE

2023-06-04Pressable.com / WP.cloud’s monitoring systems first logged attack
waves creating accounts with “apadmin” and “wpadmins” usernames2023-06-26Slavic
Dragovtev reports a potential privilege escalation vulnerability to Ultimate
Member2023-06-27Ultimate Member version 2.6.4 is released, but is still
vulnerable2023-06-27Joshua Goode, representing Pressable.com and WP.cloud,
starts an investigation, confirms that a vulnerability is being actively
exploited, identifies numerous indicators of compromise, and escalates the issue
to the Jetpack & WPScan Security Research team2023-06-27Some plugin users start
noticing attack attempts against their sites2023-06-27We report bypasses in the
2.6.4 fix to Ultimate Member’s authors, they quickly reply with a potential (but
insufficient) fix2023-06-28Version 2.6.5 is released to the public, but is still
exploitable2023-06-29We publish this post2023-06-29Version 2.6.6 is released to
the public, but is still exploitable2023-06-30Ultimate Member sends us version
2.6.7 for review2023-07-01Version 2.6.7 is released to the public2023-07-03We
confirm with the authors that 2.6.7 fixes the various bypasses we reported to
them

CONCLUSION

We recommend you update the Ultimate Member plugin to version 2.6.7, which
remediates this security issue.

Sites on WP.cloud hosts, such as WordPress.com and Pressable.com, have received
a platform-level patch to help mitigate the vulnerability.

We are committed to ensuring your website’s protection against these types of
vulnerabilities. It is highly recommended that you implement a security plan for
your site that includes scanning for malicious files and maintaining regular
backups. Jetpack offers a comprehensive solution to ensure the safety of your
site and its visitors.

blog.wpscan.com Open in urlscan Pro 192.0.78.164 Public Scan

Form analysis 4 forms found in the DOM

GET https://blog.wpscan.com/

POST #

GET https://blog.wpscan.com/

Text Content

blog.wpscan.com Open in urlscan Pro
192.0.78.164 Public Scan

Form analysis
4 forms found in the DOM