A critical zero-day vulnerability has been exploited in the WordPress plugin Ultimate Member that allows attackers to escalate their privileges and gain full control over the website. Ultimate Member is a WordPress plugin that enables users to sign-up, and for the WordPress website to handle memberships and profiles. It currently has over 200,000+ active installations, all of which will be vulnerable to this zero-day flaw until upgraded. A response from WordPress plugin support to a post about this vulnerability confirms that this flaw exists in all previous Ultimate Member versions, but that a fix has been released in version 2.6.7, so users should update to version 2.6.7 to resolve this flaw. 

Tracked as CVE-2023-3460 this critical vulnerability with a CVSS base score of 9.8 is being actively exploited, as described by the Wordfence Threat Intelligence Team in their detailed blog post, which also contains indicators of compromise that can be used to check for signs of exploit. An unauthenticated attacker can manipulate the user registration form in this plugin to bypass the security restrictions through using various cases, slashes, and character encoding. This allows the attacker to update banned keys that should be restricted and input a meta key value that sets the wp_capabilities to grant them administrator access to the site. This privilege elevation allows the attacker complete control over the vulnerable site. 

The newest release version of Ultimate Member patches this flaw, so users should upgrade to version 2.6.7 to be best protected against this form of attack. Another possible mitigation strategy is to remove this plugin from your WordPress site, as without access to the user registration form provided by this plugin attackers would not be able to perform this exploit. In a security incident update from Ultimate Member it was revealed that a patch was first attempted in version 2.6.4 however attackers were still able to bypass the security restrictions and use variations on the wp_capabilities key such as wp_capabiliti\\es and wp_caPabilitiEs. While version 2.6.7 corrects this through case sensitivity and metakey whitelisting, it can also disrupt the way the plugin works with third party modifications. Ultimate member recommends updating to version 2.6.7, then reviewing and deleting all unknown admin level accounts to ensure your site is secure.