Shulou(Shulou.com)11/24 Report--

CTOnews.com, July 4, Ultimate Member is a popular "user login system" plug-in in the WordPess blog platform. Security company Wordfence has revealed that there is a zero-day vulnerability in the plug-in, which allows hackers to raise their accounts to administrators and then control the takeover of the site.

▲ image source Wordfence reported that the plug-in has a major vulnerability numbered CVE-2023-3460, with a risk rating of 9.8. hackers can take advantage of this vulnerability to bypass the security measures built into the plug-in, modify the wp_capabilities configuration data of the account, set the hacker's account as an administrator, and then control the victimized website.

The developers of the ▲ image source Wordfence plug-in partially fixed the vulnerability after releasing version 2.6.3 of Ultimate Member on June 26, and then released version 2.6.7 on July 1, which completely fixed the vulnerability.

After inquiry, CTOnews.com learned that more than 200000 WordPress websites deployed the plug-in, which are still extremely vulnerable to hackers, considering the delay in updating the plug-in caused by this preloading and poor information.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.