A critical unauthenticated SQL Injection vulnerability, identified as CVE-2024-1071, has been discovered in versions 2.1.3 to 2.8.2 of the Ultimate Member WordPress plugin. This vulnerability affects over 200,000 active installations and allows attackers to inject malicious SQL commands through the ‘sorting’ parameter. Successful exploitation could lead to the extraction of sensitive information, including password hashes, from the database.
Vulnerability Details:
- CVE ID: CVE-2024-1071
- Affected Versions: Ultimate Member WordPress Plugin versions 2.1.3 to 2.8.2
- Impact: SQL Injection, Data Exfiltration
Impact:
- Unauthorized access to sensitive information
- Potential compromise of user credentials and data
- Risk of further exploitation and compromise of the affected WordPress sites
Recommendations:
- Update: Immediately update the Ultimate Member plugin to version 2.8.3 to mitigate the vulnerability.
- Review: Conduct a security review of your WordPress site to ensure no unauthorized access or changes have occurred.
- Monitor: Monitor your website for any unusual activity or unauthorized access attempts.
- Educate: Educate your website administrators and users about safe browsing practices and security measures.
Action Required:
Immediate action is required to update the Ultimate Member plugin to version 2.8.3 to protect your website from potential exploitation. Failure to update could result in unauthorized access to your website and compromise of sensitive information.