The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
References
Link | Resource |
---|---|
https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/ | Third Party Advisory |
https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 | Exploit Patch |
Configurations
History
07 Nov 2023, 04:18
Type | Values Removed | Values Added |
---|---|---|
CWE |
14 Jul 2023, 14:44
Type | Values Removed | Values Added |
---|---|---|
First Time |
Ultimatemember ultimate Member
Ultimatemember |
|
CPE | cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (MISC) https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/ - Third Party Advisory | |
References | (MISC) https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 - Exploit, Patch |
04 Jul 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-04 08:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-3460
Mitre link : CVE-2023-3460
CVE.ORG link : CVE-2023-3460
JSON object : View
Products Affected
ultimatemember
- ultimate_member
CWE
No CWE.