The revelation of a critical security loophole within the widely deployed WordPress plugin, Ultimate Member, has sent shockwaves through the online community. Tracked as CVE-2024-1071 and discovered by security researcher Christiaan Swiers, this vulnerability has a staggering CVSS score of 9.8 out of 10.
Technical Overview of CVE-2024-1071
The vulnerability lies in versions 2.1.3 to 2.8.2 of Ultimate Member and stems from a SQL Injection flaw associated with the ‘sorting’ parameter. Attackers can exploit this weakness to inject malicious SQL queries, leveraging insufficient escaping mechanisms and inadequate query preparation. Notably, this vulnerability affects users who have opted for the “Enable custom table for usermeta” option within the plugin settings.
The ramifications of CVE-2024-1071 should not be underestimated. Unauthorized threat actors could exploit the flaw to infiltrate websites, manipulate database contents, and potentially extract sensitive data. The inherent risk posed by unauthenticated SQL Injection attacks shows the urgency for prompt mitigation measures.
Version 2.8.3 of Ultimate Member Contains the Patch
In response to responsible disclosure, the plugin developers have swiftly released a patch in version 2.8.3 of Ultimate Member on February 19. It is imperative for users to promptly update their plugins to the latest version to shield their websites from potential exploitation. Wordfence, a WordPress security company, has already intercepted one attempted attack within 24 hours of the vulnerability disclosure, highlighting the imminent threat.
However, this vulnerability is not an isolated incident. It is part of a broader trend of vulnerabilities targeting WordPress sites. Threat actors have previously exploited similar vulnerabilities, such as CVE-2023-3460, to orchestrate malicious activities, including the creation of rogue admin users.
Other Malicious Campaigns Against WordPress Sites
A new campaign leveraging compromised WordPress sites to inject crypto drainers has also emerged in the wild. The campaign capitalizes on the Web3 ecosystem’s reliance on direct wallet interactions, posing significant risks to both website owners and user assets.
Sophisticated schemes, such as the drainer-as-a-service (DaaS) scheme dubbed CG (CryptoGrab) are also on the rise. This scheme operates a large-scale affiliate program, facilitating fraudulent operations with alarming efficiency.