A popular Ultimate Member plugin with over 200,000 installations, specifically designed to enhance user registration and login experiences on WordPress sites, has inadvertently become a hatchway for unauthenticated attackers, courtesy of an underlying security vulnerability identified as CVE-2023-3460.
On the surface, Ultimate Member seems like a boon to website owners. It allows the seamless addition of user profiles, defines roles, crafts custom form fields, and aids in creating member directories. However, beneath this facade of convenience lurks a chilling reality – a privilege escalation vulnerability with a Common Vulnerability Scoring System (CVSS) score of a worrisome 9.8.
This chink in the armor permits unauthenticated attackers to craft new user accounts wielding administrative privileges, effectively bestowing upon them the reins to the entire site. The revelation is further underscored by WordPress security stalwart, WPScan, which confirms this vulnerability is not a mere theoretical possibility but is being exploited in the wild.
The genesis of this security flaw lies in the very mechanism the plugin uses to maintain its fortifications. The plugin operates using a predefined list of user metadata keys that users are forbidden from manipulating. This blocklist is then cross-referenced each time a user attempts to register these keys when fashioning an account. This practice of blocking known harmful inputs is a widespread security anti-pattern. While it seems intuitive, it often opens up loopholes that crafty cybercriminals can slip through.
As an alternative, cybersecurity pundits often advocate the use of allowlists, which permit specific inputs and dismiss anything that hasn’t made the cut. This approach tends to yield more robust and reliable security measures.
The pivotal issue lies in the dichotomy between the blocklist logic used by Ultimate Member and the manner in which WordPress treats metadata keys. This discrepancy allows assailants to deceive the plugin into updating keys it shouldn’t, like “wp_capabilities”, which stores user roles and capabilities.
Currently, a comprehensive solution to the CVE-2023-3460 vulnerability is yet to be unveiled. In light of the escalating threat, it’s paramount for organizations to delve into the nitty-gritty of the vulnerability and strategize mitigations based on their risk tolerance. In certain scenarios, the most prudent course of action might involve uninstalling the afflicted software and opting for a more secure alternative.
