These WordPress plugin bugs could jeopardize hundreds of thousands of sites

WordPress site owners currently using the Ultimate Member plugin are being urged to update to the latest version in order to patch three s...

WordPress site owners currently using the Ultimate Member plugin are being urged to update to the latest version in order to patch three serious security flaws that could be exploited to launch site takeover attacks.

Ultimate Member is a popular WordPress plugin designed to help simplify the task of creating and managing user profiles which is currently installed on over 100,000 websites. The plugin enables site owners to create a user based website with WordPress with custom privileges for different users.

However, the security firm Wordfence recently disclosed three high-severity vulnerabilities in the plugin that could be exploited by an attacker to escalate their privileges as well as take over any WordPress site running versions of Ultimate Member before version 2.1.12.

All three vulnerabilities have now been patched with the release of Ultimate Member version 2.1.12 back in late October and WordPress site owners should update the plugin immediately to avoid falling victim to any potential attacks.

Privilege escalation vulnerabilities

Of the three vulnerabilities disclosed by Wordfence in its new report, two have a maximum CVSS severity rating of 10/10 while the other has a critical CVSS score of 9.8.

The two high severity vulnerabilities can be exploited for unauthenticated privilege escalation via user meta by granting admin access upon registration and user roles by selecting an admin role during registration. The critical vulnerability is a bit less severe as an attacker would need wp-admin access to a site's profile.php page to exploit though it still allows an authenticated attacker to easily elevate their privileges to admin.

Although Ultimate Member released an updated version of its plugin which patched all three vulnerabilities in October, 34.6 percent of the plugin's active users are still running outdated versions according to data from WordPress.org.

Now that all three vulnerabilities have been publicly disclosed, cybercriminals will likely try to launch attacks against WordPress sites running vulnerable versions of the plugin which is why all Ultimate Member plugin users should update their installations to the latest version as soon as possible.

Via BleepingComputer



from TechRadar - All the latest technology news https://ift.tt/35k6YZD
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,188,Video,5,XIAOMI,13,YouTube - 9to5Google,187,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: These WordPress plugin bugs could jeopardize hundreds of thousands of sites
These WordPress plugin bugs could jeopardize hundreds of thousands of sites
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2020/11/these-wordpress-plugin-bugs-could.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2020/11/these-wordpress-plugin-bugs-could.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy