Attention WordPress admins: Security researchers have noticed a rise in attacks targeting the Ultimate Member plug-in. These attacks have prompted the release of a security patch that website operators should install promptly. The Ultimate Member plug-in is widely used, with over 200,000 active installations. Security researchers from WPScan have classified the vulnerability (CVE-2023-3460) as critical, as it allows attackers to gain admin rights. To prevent further attacks, the researchers have not disclosed detailed attack scenarios. Instead, they have listed indications of an attack, including suspicious IP addresses and the presence of fake admin accounts such as “apadmins,” “wpadmins,” or “segs_brutal.” Website owners should also remove any plugins installed by the attackers, such as “yyobang” and backdoors.
The developers have addressed the security issue in version 2.6.7 of the Ultimate Member plug-in. Admins are urged to ensure they have installed this version promptly. The vulnerability was first identified in early June 2023, with the initial attacks observed at the end of that month. Although the developers released a security update quickly, the security researchers were able to bypass the fix. Consequently, version 2.6.7, which provides full protection against attacks, was released at the beginning of July. The Ultimate Member provider strongly recommends that admins update their plug-ins promptly to safeguard their websites.