A significant security flaw has been identified in the Ultimate Member plugin for WordPress, leaving more than 200,000 websites vulnerable to Cross-Site Scripting (XSS) attacks. The vulnerability, discovered by a researcher known as stealthcopter during the Wordfence Bug Bounty Extravaganza, has been promptly addressed with a patch. Website administrators are urged to update their installations to the latest version of Ultimate Member to mitigate the risk.
Details:
- Vulnerability ID: CVE-2024-2123
- Affected Versions: Ultimate Member plugin versions up to and including 2.8.3
- Impact: The flaw allows unauthenticated attackers to inject malicious scripts into web pages, potentially leading to unauthorized administrative access and further compromise of the website.
- Discovery and Reporting: The vulnerability was discovered by stealthcopter and reported to Wordfence, which awarded a $563 bounty for the discovery. Wordfence then validated the issue and worked with the Ultimate Member team to release a patch on March 6, 2024.
- Technical Breakdown: The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s member directory list functionality. Malicious scripts could be injected through user display names during registration.
- Mitigation: Website owners should update to the latest patched version of Ultimate Member (2.8.4) to protect against this vulnerability. Wordfence users, including those with the free version, have been provided immediate protection through the firewall’s built-in XSS protection.
Recommendations:
- Update the Plugin: Ensure that the Ultimate Member plugin is updated to version 2.8.4 or later.
- Regular Security Checks: Perform regular security audits and updates on all WordPress plugins and themes.
- Use Security Solutions: Consider using security services like Wordfence to provide real-time protection against potential threats.
