Over 2 Lakh WordPress Websites Vulnerable To Hacking Due To Plugin Bug: Report – News18

Published: July 02, 2023
The bug is present in the Ultimate Member plugin

The bug is current within the Ultimate Member plugin

In response to the vulnerability report, the creators of the plugin promptly launched a brand new model, 2.6.4, intending to repair the issue.

More than 2 lakh WordPress web sites are at hacking threat because of a important unpatched safety vulnerability that was being actively exploited by malicious actors.

According to WordPress safety agency WPScan, the bug is current within the Ultimate Member plugin, which is a free person profile WordPress plugin that makes it straightforward to create highly effective on-line communities and membership websites with WordPress.

“This is a really critical concern as unauthenticated attackers could exploit this vulnerability to create new person accounts with administrative privileges, giving them the facility to take full management of affected websites,” the security firm warned.

There was “no complete fix to this issue” and worryingly, “there have been indications that this concern was being actively exploited by malicious actors,” the firm added.

In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem.

“However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable,” the WPScan workforce famous.

The plugin operates by utilizing a pre-defined checklist of person metadata keys that customers mustn’t manipulate.

It makes use of this checklist to examine if customers are trying to register these keys when creating an account.

“Unfortunately, variations in how the Ultimate Member’s blocklist logic and the way WordPress treats metadata keys made it doable for attackers to trick the plugin into updating some it shouldn’t,” said the team.

The security researchers recommend that the users should disable the Ultimate Member plugin until a patch that completely remediates this security issue is made available.

Sites on WP.cloud hosts, such as WordPress.com and Pressable.com, have received a platform-level patch to help mitigate the vulnerability.

(This story has not been edited by News18 staff and is published from a syndicated news agency feed – IANS)

Bharat Upadhyay

Bharat Upadhyay, Senior Sub-Editor at News18 Tech, writes about know-how and client devices. He has been masking the know-how beat for over six…Read More

Source web site: www.news18.com

Other News
Sharjah’s 4-day work week improves worker productiveness
Pink Caravan unveils routes for nationwide most cancers consciousness trip
‘Dubai in One Day’ initiative to strengthen medical tourism
French protests increase stress towards Macron’s pension reform