Share this article on:
A third-party plugin used by more than 200,000 WordPress has been found to have an exploitable bug that — despite patching — is still being taken advantage of by bad actors.
WordPress monitoring systems had noted an issue as far back as the beginning of June, when it first noted a wave of new accounts being created with the usernames “apadmin” or “wpadmins”, though it wasn’t recognised as a privilege escalation issue until a user reported as such, citing the Ultimate Member plugin as the culprit.
As it turns out, the way the plugin dealt with blocklists and how WordPress handles metadata keys led to a situation where hackers could effectively trick the plugin into updating some of those keys.
The hackers were able to create new admin accounts, after which they uploaded malicious plugins, themes, and backdoors into the affected sites.
A new version of the plugin was released on 27 June, but the vulnerability remained. At the same time, WordPress users started reporting malicious activity on their sites. On the same day, WordPress was in touch with the plugin creators, who attempted to fix the issue, but with no luck.
Another version of Ultimate Member was released on 28 June, but — again — the vulnerability was still exploitable. Another version was released on the 29th — which was when WordPress first announced the issue — but the issue remains unresolved.
For now, WordPress is recommending that the plugin be disabled entirely until a fix can be found.
“We are committed to ensuring your website’s protection against these types of vulnerabilities,” said WordPress spokesperson Marc Montpas in a blog post. “It is highly recommended that you implement a security plan for your site that includes scanning for malicious files and maintaining regular backups.”
Montpas went into more detail about the bug in his correspondence with Ultimate Member’s makers, noting that the issue seems to be related to UTF-8 characters and that an allowlist function might be more secure.
“To be more clear, I’m not sure it can 100 per cent be fixed without forbidding UTF-8 characters altogether, or, better, implementing an allowlist validation routine pattern to restrict form fields only to a set of known legitimate, rather than potential malicious metas,” Montpas said, before providing just one example of how WordPress’ own utf8mb4_unicode_ci collation that is part of the issue.
However, it’s not one that can be easily fixed on WordPress’ side.
“There are hundreds of other side-cases like this, and as far as I know, WordPress does not have a function to ‘normalise’ them all in a way that wouldn’t cause other side effects,” Montpas concluded.
The Ultimate Member team has apologised for the issue and is waiting for feedback on its latest plugin release.
“We are very lucky to have such a loyal user base of users with over 200,000 websites using our plugin, and ensuring the plugin is safe and secure to use is of the utmost importance to us,” an Ultimate Member spokesperson said in a post. “We have learned a lot from this recent security vulnerability disclosure and will be working hard to ensure the security of our plugin moving forward.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.