"Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks"

According to security researchers at Defiant, a high-severity vulnerability in the Ultimate Member plugin can be exploited to inject malicious scripts into WordPress sites.  Tracked as CVE-2024-2123, the vulnerability is described as a stored cross-site scripting (XSS) issue via several parameters, allowing attackers to inject web scripts into a site’s pages to be executed whenever those pages are loaded. The researchers noted that the flaw exists because of insufficient input sanitization and output escaping. An insecure implementation of the plugin’s members directory list functionality enables unauthenticated attackers to inject web scripts. The researchers stated that because the “user display name is displayed unescaped in the plugin template files” and because functions used to compile user data use no escape function either, an attacker can provide a malicious script as a user name during the registration process. The researchers noted that typically, XSS flaws such as CVE-2024-2123 can be exploited to inject code to create new administrative accounts, redirect visitors to malicious sites, or inject backdoors. The security defect was submitted via the Wordfence bug bounty program on February 28. The plugin’s developers were informed of the bug on March 2, and a patch was released on March 6. The flaw impacts Ultimate Member versions 2.8.3 and prior. Users are advised to update to Ultimate Member 2.8.4 as soon as possible. Ultimate Member has more than 200,000 active installations. According to WordPress’ statistics, the plugin has been downloaded roughly 100,000 times over the past seven days, suggesting that half of its users remain vulnerable to CVE-2024-2123.

SecurityWeek reports: "Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks"