Automattic’s WP.cloud and Pressable.com platforms have recently noticed a disturbing pattern of compromised sites. They found that illegitimate new administrator accounts were continuously appearing on the impacted sites. After investigating this matter, a post on the WordPress.org support forums by Slavic Dragovtev brought to light a potential security problem. The issue revolved around a Privilege Escalation vulnerability in the Ultimate Member plugin, which has over 200,000 active installations. Even more alarming, this vulnerability was being actively leveraged by cybercriminals.
Reacting swiftly to the vulnerability report, the plugin’s developers released an updated version, 2.6.4, intending to resolve the issue. However, after Automattic conducting an in-depth analysis of the update, numerous ways to bypass the proposed fix were discovered, suggesting that the vulnerability was still entirely exploitable.
Automattics monitoring systems confirmed that attacks utilizing this vulnerability were indeed occurring, heightening the urgency of the situation. In response to these findings, they immediately reached out to the plugin’s authors, shared their discoveries, and extended their assistance to help them address the problem as soon as possible.
This vulnerability is of grave concern, as it allows unauthenticated attackers to create new user accounts with administrative privileges. This gives the attacker the capacity to take over the affected sites entirely.
Privilege Escalation Vulnerability in Ultimate Member Plugin
The Ultimate Member plugin operates by using a predefined list of user metadata keys that users should not manipulate. This list is used to check if users are trying to register these keys while creating an account. Although this blocklist approach might seem intuitive, it often leaves room for security bypasses and is harder to manage than expected.
A more recommended approach is to use allowlists, which approve specific inputs and reject anything not on the list. This approach typically provides a more robust security measure.
However, due to differences in how Ultimate Member’s blocklist logic and WordPress handle metadata keys, attackers could trick the plugin into updating keys it should not, such as “wp_capabilities” used to store a user’s role and capabilities.
Indicators of Compromise
Several IP addresses were found to be actively attacking sites:
The attacks we’ve observed generally involve the following steps:
- An initial POST request is made to the plugin’s user registration page, usually “/register.”
- The attacker then attempts to log in with the newly created account using the “/wp-login.php” page.
- Finally, a malicious plugin is uploaded through the site’s administration panel.
Common usernames for malicious accounts created during the recent attack wave include:
Other indicators of compromise include malicious plugins, themes, and code additions. Malicious plugins such as “yyobang” and backdoors like “autoload_one.php” have been added to legitimate plugins. Malicious themes such as “fing” have also been identified. Furthermore, attempts to create a persistent user, “wpadminns,” have been made by modifying the active theme’s functions.php.
- June 4, 2023: Pressable.com / WP.cloud’s monitoring systems first logged attack waves creating accounts with “apadmin” and “wpadmins” usernames.
- June 26, 2023: Slavic Dragovtev reports a potential privilege escalation vulnerability to Ultimate Member.
- June 27, 2023: Ultimate Member version 2.6.4 is released, but it remains vulnerable.
- June 27, 2023: Joshua Goode, representingPressable.com and WP.cloud, starts an investigation, confirms that a vulnerability is being actively exploited, identifies numerous indicators of compromise, and escalates the issue to the Jetpack & WPScan Security Research team.
- June 27, 2023: Some plugin users start noticing attack attempts against their sites.
- June 27, 2023: We report bypasses in the 2.6.4 fix to Ultimate Member’s authors, who quickly reply with a potential, but still insufficient, fix.
- June 28, 2023: Version 2.6.5 is released to the public, but it remains exploitable.