Hacking Campaign Actively Exploiting Ultimate Member Plugin

UPDATE (2023-07-03): A new version, 2.6.7, was released this weekend, and fixes the issue. If you use Ultimate Member, update to this version as soon as possible. You can find Ultimate Member’s incident postmortem here.

Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend in compromised sites, where rogue new administrator accounts kept appearing in the affected sites. After some investigation, we witnessed a post on the WordPress.org support forums by Slavic Dragovtev discussing a potential security issue, specifically a Privilege Escalation vulnerability, with the Ultimate Member plugin (200,000+ active installs). Worryingly, there were indications that this issue was being actively exploited by malicious actors.

In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem. However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable.

Adding to the urgency of the situation, a look at our monitoring systems also confirmed attacks using this vulnerability were indeed happening in the wild.

In light of our findings, we immediately contacted the plugin’s authors. We shared our discoveries and offered our assistance to help them resolve the issue as soon as possible.

This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites.

Privilege Escalation Vulnerability In Ultimate Member

NameUltimate Member
Plugin URIhttps://wordpress.org/plugins/ultimate-member/
Affected VersionsVersions lower than 2.6.7
CVE IDCVE-2023-3460 
WPScan ID694235c7-4469-4ffd-a722-9225b19e98d7

At the time of writing, there is no complete fix to this issue. Hence, we’ll provide only a brief overview of the reasons the code is vulnerable, and how similar code should be fixed.

The plugin operates by using a pre-defined list of user metadata keys that users should not manipulate. It uses this list to check if users are attempting to register these keys when creating an account. This is a common security anti-pattern, where blocking known harmful inputs (blocklists) might seem intuitive, but is trickier than expected and often leaves room for security bypasses.

Instead of blocklists, it’s generally recommended to use allowlists, which approve specific inputs and reject anything that didn’t make it to the list. This typically provides a more robust security measure.

Unfortunately, differences in how the Ultimate Member’s blocklist logic and how WordPress treats metadata keys made it possible for attackers to trick the plugin into updating some it shouldn’t, like “wp_capabilities”, which is used to store a user’s role and capabilities.

Indicators of Compromise

We noticed several IP addresses actively attacking sites:


The typical attacks we are observing generally involve the following steps:

  • An initial POST request is made to the plugin’s user registration page, which is typically “/register.”
  • The attacker then attempts to log in with the newly created account using the “/wp-login.php” page.
  • Finally, a malicious plugin is uploaded through the site’s administration panel.

Common usernames for malicious accounts created during the recent attack wave:

  • apadmins
  • wpadmins
  • wpenginer
  • segs_brutal

Other indicators of compromise include malicious plugins, themes, and code additions:

  • Malicious plugins such as “yyobang” and backdoors such as “autoload_one.php” added to legitimate plugins.
  • Malicious themes such as “fing.”
  • Modifications to the active theme’s functions.php, including attempts to create a persistent user, “wpadminns.”


2023-06-04Pressable.com / WP.cloud’s monitoring systems first logged attack waves creating accounts with “apadmin” and “wpadmins” usernames
2023-06-26Slavic Dragovtev reports a potential privilege escalation vulnerability to Ultimate Member
2023-06-27Ultimate Member version 2.6.4 is released, but is still vulnerable
2023-06-27Joshua Goode, representing Pressable.com and WP.cloud, starts an investigation, confirms that a vulnerability is being actively exploited, identifies numerous indicators of compromise, and escalates the issue to the Jetpack & WPScan Security Research team
2023-06-27Some plugin users start noticing attack attempts against their sites
2023-06-27We report bypasses in the 2.6.4 fix to Ultimate Member’s authors, they quickly reply with a potential (but insufficient) fix
2023-06-28Version 2.6.5 is released to the public, but is still exploitable
2023-06-29We publish this post
2023-06-29Version 2.6.6 is released to the public, but is still exploitable
2023-06-30Ultimate Member sends us version 2.6.7 for review
2023-07-01Version 2.6.7 is released to the public
2023-07-03We confirm with the authors that 2.6.7 fixes the various bypasses we reported to them


We recommend you update the Ultimate Member plugin to version 2.6.7, which remediates this security issue.

Sites on WP.cloud hosts, such as WordPress.com and Pressable.com, have received a platform-level patch to help mitigate the vulnerability.

We are committed to ensuring your website’s protection against these types of vulnerabilities. It is highly recommended that you implement a security plan for your site that includes scanning for malicious files and maintaining regular backups. Jetpack offers a comprehensive solution to ensure the safety of your site and its visitors.


  1. Marius says:

    6 mins ago came out the version 2.6.6 of Ultimate Members.

    I am not using it anywhere, but I hope for all who are using it, this resolves the issue!

    1. Marc Montpas says:

      Thanks for sharing this! Unfortunately, it doesn’t. 🙁

      I updated the post to reflect the version change.

  2. There is a new update of the plugin (v. 2.6.7) that claims to solve the vulnerability.

    May you test it?

    Thanks 🙂

    1. Marc Montpas says:

      Yes, after some validation, it does seem to properly fix the bypasses we shared with the plugin’s authors.

      I just updated the post with this new information.

      Thanks for passing by! 🙂

  3. Daniel Hersh says:

    2.67 is out now – see https://docs.ultimatemember.com/article/1866-security-incident-update-and-recommended-actions . Is this a complete fix, so far as you know?

  4. Alex Sanford says:

    Yes, version 2.6.7 appears to fully fix this issue. We’ve updated this post accordingly.

Leave a Reply