WordPress plugin lets users become admins – Patch early, patch often!
03-Jul-23
Make sure you have the most recent version of the Ultimate Members plugin installed if you run a WordPress website. The plugin’s developer released version 2.6.7 over the weekend, which is meant to close a significant security gap as detailed by user @softwaregeek on the WordPress support website.
CVE-2023-3460, a serious flaw in the plugin, enables an unauthenticated attacker to sign up as an administrator and gain total control of the website. The registration form for the plugin is where the issue is. It looks that you can modify some values in this form to register the account. Included in this is the wp_capabilities variable, which establishes a user’s position inside the website.
