A critical vulnerability in the popular Ultimate Member plugin was discovered earlier this month. A patch was released to fix the problem on 9th August, but researchers report that bad actors are using the vulnerability to compromise WordPress sites using earlier versions of the plugin.
If you use Ultimate Member on your WordPress site, it should be updated to version 2.0.22 or newer as soon as possible. Failing to update could lead to your site being compromised.
Ultimate Member Vulnerability
Ultimate Member is a popular plugin with over 100,000 active installations. It adds membership-related features to WordPress sites, including user profiles, custom form fields, member directories, and more. Ultimate Member is one of the most widely used plugins for building community and membership sites with WordPress.
The vulnerability in Ultimate Member is classified as an Unauthenticated Arbitrary File Upload vulnerability. A flaw in the plugin allows a bad actor to upload arbitrary files to a WordPress site, including PHP files.
To remove the vulnerability, update Ultimate Member as soon as possible.
The Vulnerability Is Actively Exploited By Hackers
Researchers discovered that a large number of WordPress sites were being compromised with a PHP backdoor. Once the backdoor was installed, the attacker used their access to inject code that redirects site visitors to web pages under the attackers’ control.
The attackers probed WordPress sites for vulnerable versions of Ultimate Member and used the vulnerability to upload the backdoor. Additional code was then injected into various files on the WordPress site, including all files that contain <head> tags and all files with jquery in their name or content.
This is an unsophisticated approach, but it worked – several hundred WordPress sites are known to have been compromised in this way. Users were redirected to pages that presented a Captcha test and asked for permission to send browser notifications.
The Problems Of Disclosure
Many of the attacks happened after the patch to fix the vulnerability in Ultimate Member was released. This is a common pattern: fixing a vulnerability alerts bad actors to its existence. The likelihood of a vulnerable site being attacked increases once the patch is released. WordPress site owners who update promptly are protected; those who delay are not and their sites face increased risk.
In this case, the developers of Ultimate Member did exactly what they were supposed to. The presence of the vulnerability was unfortunate, but any complex software is likely to develop such problems at some point in its life. Of more importance is the fact that it was patched promptly when the vulnerability was discovered.
If you suspect that your site has already been compromised, Sucuri’s mitigation guide includes more information and instructions for removing the malicious code. If you need help, don’t hesitate to get in touch with the Hostdedi support team by opening a ticket in your Client Portal or by email.