A WordPress plugin named Ultimate Member has three critical vulnerabilities, which could let users gain admin-level privileges easily. These were reported by Wordfence team and given a severity score of 10/10 for two and 9.8/10 for the other. The Ultimate Member team has soon come up with a patch after being reported and urges users to update immediately.
WordPress Plugin with High Severity Bugs
It’s common that WordPress plugins come with bugs, or have them until discovered. What matters is the way and the time taken to respond in addressing them. In that case, the Ultimate Member team has done good, but it’s the users’ side ignorance puts over 25,000 sites at risk. Reported by Wordfence’s Threat Intelligence team, the Ultimate Member plugin has three critical bugs in it.
This plugin’s purpose is clear, to let the site owners manage their subscribers. It sets the visitors access level to the type of subscription they had, like the premium ones to read exclusive content and registered users to limit only to read and comment. It was reported to have three bugs, two of them marked as severe with 10/10 rating and one as serious with 9.8/10.
The two severe bugs would let any unauthenticated users, like the ones who just filled a contact form to obtain the admin-level privileges of the site. And the other will let authenticated users (those who have access to the wp-admin page) attain the same admin-level privileges. Having these permissions means able to modify the site in the way they wanted.
For instance, they can install/delete features/plugins, change roles of others, inject malware, set backdoor and even pull down the site offline. Thus, addressing them is necessary. The Ultimate Member team has come up with a patch update 2.1.12 on October 29th, just three days after being reported, and urges everyone to patch it. It’s noted that over 100,000 sites are using this plugin actively, and over 25,000 sites are yet to update.
Other Trending News:- News