Threat Research

PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited

Securonix

Wordfence warns of a critical, unpatched privilege-escalation vulnerability in the Ultimate Member WordPress plugin (versions up to 2.6.6) that is actively being exploited on sites running the plugin. The advisory provides a firewall rule, remediation guidance (uninstall until patched), and indicators of compromise to help detect unauthorized admin accounts, IPs, and the exelica.com domain. #UltimateMember #Wordfence #WordPress #PrivilegeEscalation #wp_capabilities #administrator #exelica.com

Keypoints

  • The Ultimate Member plugin (WordPress) is vulnerable to privilege escalation in versions up to and including 2.6.6.
  • The vulnerability can be exploited by unauthenticated attackers to register as an administrator on a site.
  • Attackers can bypass filters by manipulating user meta keys (e.g., using cases, slashes, and encoding).
  • Affected sites can be protected by a Wordfence firewall rule; users are advised to uninstall the plugin until a patch is released.
  • Indicators of Compromise include new admin accounts (e.g., wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal), specific IPs, and the exelica.com domain.
  • The vulnerability places an estimated 200,000+ WordPress sites at risk.

MITRE Techniques

  • [T1068] Exploitation for Privilege Escalation – The vulnerability is actively exploited to escalate privileges. Quote: ‘This makes it possible for attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to ‘administrator’.’
  • [T1136] Create Account – Attackers register and create new accounts with administrator privileges. Quote: ‘new user accounts created with administrator privileges.’
  • [T1027] Obfuscated/Compressed Files and Information – Bypassing security filters by varying case, slashes, and encoding in a supplied meta key value. Quote: ‘utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.’

Indicators of Compromise

  • [Account] new admin accounts created on the site – wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal
  • [IP Address] access attempts from attacker IPs observed in logs – 146.70.189.245, 103.187.5.128, and 3 more IPs (103.30.11.160, 103.30.11.146, 172.70.147.176)
  • [Domain] domain associated with attacker emails – exelica.com

Read more: https://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint