UPDATE (2023-07-03): A new version, 2.6.7, was released this weekend, and fixes the issue. If you use Ultimate Member, update to this version as soon as possible. You can find Ultimate Member’s incident postmortem here.
Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend in compromised sites, where rogue new administrator accounts kept appearing in the affected sites. After some investigation, we witnessed a post on the WordPress.org support forums by Slavic Dragovtev discussing a potential security issue, specifically a Privilege Escalation vulnerability, with the Ultimate Member plugin (200,000+ active installs). Worryingly, there were indications that this issue was being actively exploited by malicious actors.
In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem. However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable.
Adding to the urgency of the situation, a look at our monitoring systems also confirmed attacks using this vulnerability were indeed happening in the wild.
In light of our findings, we immediately contacted the plugin’s authors. We shared our discoveries and offered our assistance to help them resolve the issue as soon as possible.
This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites.
Privilege Escalation Vulnerability In Ultimate Member
|Affected Versions||Versions lower than 2.6.7|
At the time of writing, there is no complete fix to this issue. Hence, we’ll provide only a brief overview of the reasons the code is vulnerable, and how similar code should be fixed.
The plugin operates by using a pre-defined list of user metadata keys that users should not manipulate. It uses this list to check if users are attempting to register these keys when creating an account. This is a common security anti-pattern, where blocking known harmful inputs (blocklists) might seem intuitive, but is trickier than expected and often leaves room for security bypasses.
Instead of blocklists, it’s generally recommended to use allowlists, which approve specific inputs and reject anything that didn’t make it to the list. This typically provides a more robust security measure.
Unfortunately, differences in how the Ultimate Member’s blocklist logic and how WordPress treats metadata keys made it possible for attackers to trick the plugin into updating some it shouldn’t, like “wp_capabilities”, which is used to store a user’s role and capabilities.
Indicators of Compromise
We noticed several IP addresses actively attacking sites:
The typical attacks we are observing generally involve the following steps:
- An initial POST request is made to the plugin’s user registration page, which is typically “/register.”
- The attacker then attempts to log in with the newly created account using the “/wp-login.php” page.
- Finally, a malicious plugin is uploaded through the site’s administration panel.
Common usernames for malicious accounts created during the recent attack wave:
Other indicators of compromise include malicious plugins, themes, and code additions:
- Malicious plugins such as “yyobang” and backdoors such as “autoload_one.php” added to legitimate plugins.
- Malicious themes such as “fing.”
- Modifications to the active theme’s functions.php, including attempts to create a persistent user, “wpadminns.”
|2023-06-04||Pressable.com / WP.cloud’s monitoring systems first logged attack waves creating accounts with “apadmin” and “wpadmins” usernames|
|2023-06-26||Slavic Dragovtev reports a potential privilege escalation vulnerability to Ultimate Member|
|2023-06-27||Ultimate Member version 2.6.4 is released, but is still vulnerable|
|2023-06-27||Joshua Goode, representing Pressable.com and WP.cloud, starts an investigation, confirms that a vulnerability is being actively exploited, identifies numerous indicators of compromise, and escalates the issue to the Jetpack & WPScan Security Research team|
|2023-06-27||Some plugin users start noticing attack attempts against their sites|
|2023-06-27||We report bypasses in the 2.6.4 fix to Ultimate Member’s authors, they quickly reply with a potential (but insufficient) fix|
|2023-06-28||Version 2.6.5 is released to the public, but is still exploitable|
|2023-06-29||We publish this post|
|2023-06-29||Version 2.6.6 is released to the public, but is still exploitable|
|2023-06-30||Ultimate Member sends us version 2.6.7 for review|
|2023-07-01||Version 2.6.7 is released to the public|
|2023-07-03||We confirm with the authors that 2.6.7 fixes the various bypasses we reported to them|
We recommend you update the Ultimate Member plugin to version 2.6.7, which remediates this security issue.
We are committed to ensuring your website’s protection against these types of vulnerabilities. It is highly recommended that you implement a security plan for your site that includes scanning for malicious files and maintaining regular backups. Jetpack offers a comprehensive solution to ensure the safety of your site and its visitors.