Tens of thousands of WordPress sites vulnerable due to plug-in vulnerability
Written by: Arthur Hart
Tens of thousands of WordPress sites can easily be taken over by criminals because they use a vulnerable plug-in. This is Ultimate Member, a plug-in that allows WordPress sites to add all kinds of functionality for registered users, such as extensive user profiles and special user roles. Ultimate Member is primarily intended for online communities and membership sites.
More than 100,000 websites use the plug-in. Researchers at security company Wordfence discovered three vulnerabilities in the plug-in that allow users to become administrators and thus gain full control over the website. On a scale of 1 to 10 in terms of seriousness, two of the vulnerabilities were rated with a 10, the third vulnerability scores a 9.9.
The scores indicate that these are critical vulnerabilities that are easy to exploit. After discovering the vulnerabilities, Wordfence warned the developers of Ultimate Member. On October 29th version 2.1.12 of the plug-in that fixes the vulnerabilities was released. Now about two weeks later, Wordfence has made the details of the vulnerabilities public.
Figures from WordPress show that tens of thousands of websites are still vulnerable. For example, there are 20,000 websites that use version 2.0 or older. Eighty percent are running version 2.1.x, but the exact version number is not mentioned. Since 29 October the plug-in has been downloaded about 76,000 times. Webmasters using the plug-in are advised to download the new version.
The plugin allows you to add beautiful user profiles to your site and is perfect for creating advanced online communities and membership sites.