Major Security Vulnerability

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Mykyta Synelnikov

    (@nsinelnikov)

    Hi @jhan303

    Thanks for your question. We are working on the fixes related to this vulnerability since 2.6.3 version when we get a report from one of our customer. Versions 2.6.4, 2.6.5, 2.6.6 partially close this vulnerability but we are still working together with WPScan team for getting the best result. We also get their report with all necessary details.

    All previous versions are vulnerable so we highly recommend to upgrade your websites to 2.6.6 and keep updates in the future for getting the recent security and feature enhancements.

    Let me know if you have other questions,
    Best Regards!

    Wordfence just published a blog post on this; they share some indicators of compromise to check, and it sounds like it would be a good idea to block the suspicious usernames and email address domain they identify from registering accounts via Ultimate Member > Settings > Access > Other.

    WordFence sent out a similar Critical warning: https://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/. I cannot install this plug-in until this issue is fixed.

    Re the post from @nsinelnikov – can you be more clear please!
    Is the vulnerability that attackers can create admin level users still there in 2.6.6 or not?

    @effecticore — yes, the vulnerability still exists in 2.6.6; the safest thing to do is uninstall the plugin until they patch the vulnerability.

    Plugin Support calumallison

    (@calumallison)

    @effecticore We have been liaising with the team from WPScan and we have fixed some of the issues which have been patched in the recent updates. We are currently working on fixing a remaining issue and will release a further update as soon as possible. Thank you

    Hi all, it seems that hackers currently exploiting this issue are mainly trying to attack YOURDOMAIN.COM/register (where ‘register’ is the default slug for registering).

    So while it’s certainly NOT a patch, you could make it a bit harder for hackers by temporarily changing the ‘register’ slug to something less predictable (not ‘registration’, but something more random).

    When UM releases the actual patch, you can of course rename the slug back to ‘register’.

    Plugin Support andrewshu

    (@andrewshu)

    Hi @jhan303

    This thread has been inactive for a while so we’re going to go ahead and mark it Resolved.

    Please feel free to re-open this thread if any other questions come up and we’d be happy to help. ??

    Regards

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Major Security Vulnerability’ is closed to new replies.