WordPress Plugin Alert: More than 200K Websites are at risk from a Critical SQLi Vulnerability

With over 200,000 active installs, the well-known WordPress plugin Ultimate Member has a serious security problem that has come to light. With a maximum score of 10, the vulnerability, identified as CVE-2024-1071, has a CVSS score of 9.8. It is acknowledged that security researcher Christiaan Swiers found and reported the vulnerability.

The WordPress security firm Wordfence stated in a warning that was released last week that the plugin is “vulnerable to SQL Injection via the sorting parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.”

Consequently, the vulnerability might be leveraged by unauthenticated attackers to append more SQL searches to pre-existing queries and retrieve confidential information from the database. Note that only users who have enabled the "Enable custom table for user meta" option in the plugin settings are impacted by this issue.

The plugin developers released version 2.8.3 on February 19, 2024, which includes a remedy for the issue, in response to responsible disclosure on January 30, 2024. To reduce potential dangers, users are urged to update the plugin to the most recent version as soon as feasible. It is accurate, particularly considering that Wordfence has already stopped one attempt to use the vulnerability in the last 24 hours.

Another vulnerability in the same plugin (CVE-2023-3460, CVSS score: 9.8) was actively used by threat actors in July 2023 to establish rogue admin users and take over susceptible websites.

The development coincides with a rise in a new effort that uses infected WordPress websites to either directly inject cryptocurrency drainers like Angel Drainer or divert users to Web3 phishing sites that are infected with drainers.

“These attacks leverage phishing tactics and malicious injections to exploit the Web3 ecosystem's reliance on direct wallet interactions, presenting a significant risk to both website owners and the safety of user assets,” Denis Sinegubko, a Sucuri researcher, said

It also comes after the discovery of a brand-new drainer-as-a-service (DaaS) scheme known as CG (short for CryptoGrab), which manages an affiliate network with 10,000 members that speak Chinese, English, and Russian.

“Refers attackers to a telegram bot that enables them to run their fraud operations without any third-party dependencies,” according to a report published by Cyfirma late last month, highlighting actor-controlled Telegram channels as one of the concerns.

“The bot allows a user to get a domain for free, clone an existing template for the new domain, set the wallet address where the scammed funds are supposed to be sent, and also provides Cloudflare protection for that new domain.”

Additionally, the threat organization has been seen cloning an already-existing, genuine website and adding Cloudflare security to it using two specially created Telegram bots, named SiteCloner and CloudflarePage, respectively. The majority of the time, hacked X (previously Twitter) accounts are used to distribute these pages.