A critical vulnerability in the Ultimate Member WordPress plugin, installed on over 200,000 websites, has been identified, posing a significant risk of data extraction. Security firm Defiant disclosed the flaw, labeled CVE-2024-1071, which carries a high CVSS score of 9.8. The vulnerability allows unauthenticated attackers to manipulate SQL queries, potentially accessing sensitive information stored in databases.
The vulnerability arises from an insecure implementation in the plugin’s user query functionality, which fails to adequately protect against SQL injection attacks. Defiant’s researchers discovered that attackers can exploit the flaw using a time-based blind approach, employing SQL CASE statements and the sleep command to gauge response times and extract data. However, successful exploitation depends on the activation of the plugin’s “Enable custom table for usermeta” option.
Ultimate Member swiftly addressed the vulnerability with the release of version 2.8.3 on February 19, following its reporting on January 30. The researcher who reported the issue received a bug bounty reward of $2,063. While the vulnerability has been patched, users are strongly advised to update their plugins immediately to safeguard their websites against potential breaches. Defiant emphasizes the importance of proactive measures, as attackers could exploit chained vulnerabilities in plugins to achieve complete site takeovers, underscoring the ongoing vigilance required in WordPress security.
Reference:
