Over 200K WordPress Websites Vulnerable to Cyberattacks

Over 200,000 WordPress Websites Vulnerable to Cyberattacks Due to Critical Plugin Bug

More than 200,000 WordPress websites are currently at risk due to a critical unpatched security vulnerability in one of the plugins. The plugin in question here is a popular tool used to create advanced online communities and membership sites. The vulnerability is being actively exploited by threat actors to create secret admin accounts, thereby gaining full control of the affected sites.

The plugin, which boasts over 200,000 active installations, allows admins to create almost any type of site where users can join and become members with ease. However, the plugin’s security mechanism, which relies on a pre-defined list of user metadata keys that users should not manipulate, has been deemed insecure by researchers. (Security Affairs)

According to the WordPress security firm WPScan, the plugin uses this list to check if users are attempting to register these keys when creating a new account. This has made it possible for attackers to trick the plugin into updating some it shouldn’t.

The flaw remains unpatched in the latest version of the plugin, v2.6.6, despite attempts by the developers to fix it in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6. The developers have stated they are continuing to work on resolving the remaining issue and hope to release a new update soon (Bleeping Computer, 2023).

The attacks exploiting this zero-day vulnerability have been observed by Wordfence threat intelligence researchers, who warn that not even the firewall rule they specifically developed to protect their clients from this threat covers all potential exploitation scenarios. Therefore, WordPress website owners and administrators ought to stay vigilant and ensure that all plugins are up-to-date and secure. In the face of this ongoing threat, it is recommended to verify that the Ultimate Member plugin is not installed on your site until a patch is made available.

Read also: Why Log4j Vulnerability has been sleepless nights to security and IT experts?

Preventive Measures: A Futurism Advisory

Preventing such attacks requires a combination of proactive and reactive measures. Futurism recommends the following cybersecurity measures:

• Web Security: Deploy a powerful web security solution for up-to-the-minute protection against various malicious web threats and prevent users/employees from accessing malicious websites.

• Update Regularly: Always keep your WordPress core, plugins, and themes up-to-date. Developers often release updates to fix security vulnerabilities. In this case, the Ultimate Member plugin should be updated as soon as a patch is released. Conduct vulnerability assessment and penetration testing on a regular basis.

• Disable Vulnerable Plugin: Until a definitive patch is released, it is recommended to disable the Ultimate Member plugin. This will prevent attackers from exploiting the vulnerability.

• Use a Security Plugin:Install a security plugin that can monitor your website for malware and suspicious activity. Some plugins can also implement a firewall for additional protection.

• Regular Backups: Regularly backup your website. In case of a successful attack, backups allow you to restore your website to a state before the attack.

• Strong Passwords:Use strong, unique passwords for all your accounts, especially the admin account. This can prevent brute force attacks.

• Strong multi-factor authentication: Deploy a powerful identity and access management solution to establish a robust multi-factor authentication that allows to accept, deny and/or challenge requests based on various factors such as geographic location, IP reputation, application data, etc.

• Limit Login Attempts: Limit the number of login attempts from a single IP address to prevent brute force attacks.

• User Role Definition: Assign the minimum necessary privileges to each user role. The fewer privileges an account has, the less damage it can do if compromised.

• Monitor User Activity: Keep an eye on user activity, especially the creation of new admin accounts with the help of an AI-powered and advanced threat protection solution. Any suspicious activity should be investigated immediately.

• Use a Web Application Firewall (WAF): A WAF can help filter out malicious traffic and provide an additional layer of security.

• Secure Hosting: Use a secure and reputable hosting provider. Some hosts offer security features such as regular scans for malware, automatic updates, and firewalls.

• Seek expert help: Roping in the services of a trusted managed cybersecurity services provider can work wonders when it comes to deploying the most apt layers of cyber defense and preventing your website and all the digital assets and infrastructure safe from evolving threats like the Ultimate Member plugin vulnerability.

Don’t leave your website vulnerable to cyberattacks. Stay ahead of the threats. Contact our cybersecurity experts to schedule a comprehensive security audit and let us help you ensure your WordPress site is secure and up-to-date.

Click here to schedule your security audit now.

Disclaimer: All information as well as data presented in this article are solely those of the original authors and their respective online sources. They do not represent or align with the principles, goals, or viewpoints of Futurism Technologies.