Hacking Campaign Actively Exploiting Ultimate Member Plugin - WPScan WordPress Security
Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend in compromised sites, where rogue new administrator accounts kept appearing in the affected sites. After some investigation, we witnessed a post on the WordPress.org support forums by Slavic Dragovtev discussing a potential security issue, specifically a Privilege Escalation vulnerability, with the Ultimate Member plugin (200,000+ active installs). Worryingly, there were indications that this issue was being actively exploited by malicious actors.
In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem. However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable.
This is a nasty one! If you have a WordPress site with the Ultimate Member plugin installed, disable it immediately until the fix in version 2.6.7 has been confirmed.