Over 2 Lakh WordPress Websites Vulnerable To Hacking Due To Plugin Bug: Report | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

More than 2 lakh WordPress websites are at hacking risk due to a critical unpatched security vulnerability that was being actively exploited by malicious actors.

According to WordPress security firm WPScan, the bug is present in the Ultimate Member plugin, which is a free user profile WordPress plugin that makes it easy to create powerful online communities and membership sites with WordPress.

“This is a very serious issue as unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites,” the security firm warned.

There was “no complete fix to this issue” and worryingly, “there were indications that this issue was being actively exploited by malicious actors,” the firm added.

In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem.

“However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable,” the WPScan team noted.

The plugin operates by using a pre-defined list of user metadata keys that users should not manipulate.

It uses this list to check if users are attempting to register these keys when creating an account.

“Unfortunately, differences in how the Ultimate Member’s blocklist logic and how WordPress treats metadata keys made it possible for attackers to trick the plugin into updating some it shouldn’t,” said the team.

top videos

  • Kajol, Jisshu Sengupta & Director Suparn Varma On Their Show The Trial-Pyaar Kanoon Dhokha-EXCLUSIVE

  • Lust Stories 2 Fails To Make Major Impression; Audience Remembers First Part & Kiara Advani’s Scene

  • Ameesha Patel Stirs Row Over ‘Gadar 2’ Non Payment Issues After Dropping Spoilers; Fans Are Furious

  • Kiara Advani Shines In White, Janhvi Kapoor Rocks Animal Ball; Disha Turns Glam-Fashion Of The Week

  • Ranbir Kapoor’s Transformation From ‘Beach Body To Beast Body’; How To Achieve It In A Healthy Way

  • The security researchers recommend that the users should disable the Ultimate Member plugin until a patch that completely remediates this security issue is made available.

    Sites on hosts, such as and, have received a platform-level patch to help mitigate the vulnerability.

    (This story has not been edited by News18 staff and is published from a syndicated news agency feed – IANS)

    Bharat UpadhyayBharat Upadhyay, Senior Sub-Editor at News18 Tech, writes about technology and c…Read More

    first published: July 02, 2023, 14:00 IST

    last updated: July 02, 2023, 14:47 IST


    Click Here For The Original Story From This Source.

    National Cyber Security