City
Epaper

Over 2 lakh WordPress websites vulnerable to hacking due to plugin bug

By IANS | Updated: July 2, 2023 11:35 IST

New Delhi, July 2 More than 2 lakh WordPress websites are at the hacking risk due to a ...

Open in App

New Delhi, July 2 More than 2 lakh WordPress websites are at the hacking risk due to a critical unpatched security vulnerability that was being actively exploited by malicious actors.

According to WordPress security firm WPScan, the bug is present in the Ultimate Member plugin, which is a free user profile WordPress plugin that makes it easy to create powerful online communities and membership sites with WordPress.

"This is a very serious issue as unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," the security firm warned.

There was "no complete fix to this issue" and worryingly, "there were indications that this issue was being actively exploited by malicious actors," the firm added.

In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem.

"However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable," the WPScan team noted.

The plugin operates by using a pre-defined list of user metadata keys that users should not manipulate.

It uses this list to check if users are attempting to register these keys when creating an account.

"Unfortunately, differences in how the Ultimate Member’s blocklist logic and how WordPress treats metadata keys made it possible for attackers to trick the plugin into updating some it shouldn’t," said the team.

The security researchers recommend that the users should disable the Ultimate Member plugin until a patch that completely remediates this security issue is made available.

Sites on WP.cloud hosts, such as WordPress.com and Pressable.com, have received a platform-level patch to help mitigate the vulnerability.

Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor

Tags: congresspitrodadelhimodideepikabjpwest-bengaldeepika-padukoneajay-devgnthakur
Open in App

Related Stories

National19-Year Old Dies After Allegedly Jumping from Police Van in Delhi; Family Alleges Custodial Death (Watch Video)

NationalKolkata Hotel Fire: 14 Killed As Massive Blaze Rips Through Rituraj Hotel Near Falpatti Machhua

LifestyleBollywood Actresses Who Pulled Off Corset-Styled Outfits With Flair

EntertainmentKaran Johar Responds to Groom Calling off Wedding After DJ plays Channa Mereya from Ae Dil Hai Mushkil, Says...

NationalDelhi Crime: 20-Year-Old Shot Dead Outside Residence in Seelampur; Police Launch Manhunt for Killers (Watch Video)

Technology Realted Stories

TechnologyGovt incentives, infra investments continue to drive EV adoption in India: Report

TechnologyNew machine algorithm can identify heart, fracture risks with routine bone scans

TechnologyAustralian researchers find same arm for both shots boosts vaccine response

TechnologySouth Korea, US to launch working-level talks on tariffs this week

TechnologySamsung’s Q1 net profit up 21.7 pc on strong mobile sales, chips sluggish