One has been revealed serious security flaw in a popular WordPress plugin called Ultimate Member, which has more than 200,000 active installations.
What is this vulnerability in the WordPress Ultimate Member plugin
The vulnerability, identified as CVE-2024-1071, has a CVSS score of 9.8 out of a possible 10; security researcher Christiaan Swiers was credited with discovering and reporting the flaw.
In an advisory published last week, WordPress cybersecurity company Wordfence has declared that the plugin is “vulnerable to SQL injection via 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient data leakage on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.”
As a result, unauthenticated attackers could exploit the flaw to add additional SQL queries to existing queries and extract sensitive data from the database; basically it is of an attack SQL Injection.
However, it must be said that the problem only affects users who have selected the “Enable custom table for usermeta” in the plugin settings.
However, don't panic, following the responsible disclosure on January 30, 2024, A fix for the flaw was made available by the plugin developers with the release of version 2.8.3 on February 19th.
Users are advised to update the plugin to the latest version as soon as possible to mitigate potential threats, especially in light of the fact that Wordfence has already blocked an attack that tried to exploit the flaw in the last 24 hours.
In July 2023, another vulnerability in the same plugin (CVE-2023-3460CVSS score: 9.8) has been actively exploited by cybercriminals to create fraudulent admin users and take control of vulnerable sites.
This discovery comes amid the rise of a new campaign that takes advantage of compromised WordPress sites to inject crypto-drainers (as the name suggests, it sucks up cryptocurrencies) as Angel Drainer directly or redirect site visitors to Web3 phishing sites that contain drainers.
“These attacks leverage phishing tactics and malicious injections to exploit the Web3 ecosystem's reliance on direct interactions with wallets [ovverosia Wallet di Criptovalute], posing a significant risk to both website owners and the security of user assets,” has said Sucuri researcher Denis Sinegubko.
This also follows the discovery of a drain-as-a-service (abbreviated DaaS) scheme called CG (short for CryptoGrab) which runs an affiliate program with 10,000 members made up of people who speak Russian, English and Chinese.
One of the Telegram channels controlled by cybercriminals”directs attackers to a Telegram bot that allows them to manage their fraudulent operations without third-party dependencies” has stated Cyfirma in a report last month, adding “The bot allows a user to get a domain for free, clone an existing template for the new domain, set the wallet address where the scammed funds should be sent and also provides Cloudflare protection for that new domain.”
The cyber crime group has also been observed using two custom Telegram bots called SiteCloner and CloudflarePage to clone an existing website and add Cloudflare protection to it, respectively; these pages are then distributed primarily using compromised X (formerly known as Twitter) accounts.
#WordPress #vulnerability #plugin #sites
