Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks

Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks

March 11, 2024 at 11:15AM

High-severity vulnerability in Ultimate Member plugin (CVE-2024-2123) enables injection of malicious scripts into WordPress sites. Insufficient input sanitization and output escaping in the plugin’s members directory list functionality allow unauthenticated attackers to inject web scripts and potentially gain administrative user access. Patch released on March 6, impacting versions 2.8.3 and prior. Users urged to update to 2.8.4.

From the meeting notes, I have extracted the following key details:

– A high-severity vulnerability, tracked as CVE-2024-2123, has been identified in the Ultimate Member plugin for WordPress. The vulnerability is a stored cross-site scripting (XSS) issue that allows attackers to inject malicious web scripts into vulnerable sites.

– The vulnerability results from insufficient input sanitization and output escaping in the plugin’s members directory list functionality, making it possible for unauthenticated attackers to inject web scripts, including during the user registration process.

– Exploiting this vulnerability could allow attackers to create new administrative accounts, redirect visitors to malicious sites, inject backdoors, and gain administrative user access on affected sites.

– The security defect was submitted via the Wordfence bug bounty program on February 28, and the plugin developers released a patch on March 6. Users are strongly advised to update to Ultimate Member 2.8.4 as soon as possible to secure their sites.

– Ultimate Member has over 200,000 active installations, with approximately 100,000 downloads in the past seven days. This suggests that a significant portion of its user base remains vulnerable to CVE-2024-2123.

Should I proceed to draft an executive summary based on this information?

Full Article