Upgrade now so that you don't lose control of your web resources.
A critical vulnerability has been discovered in the popular Ultimate Member plugin for WordPress, which threatens the security of more than 200,000 websites using this extension. The vulnerability, designated CVE-2024-1071, is rated at 9.8 points on the CVSS scale, which indicates its high degree of danger.
The discovery of the problem is credited to security researcher Christian Swiers. Experts from Wordfence, a company specializing in WordPress security, published a detailed report where they revealed the essence of the problem.
As it turned out, the vulnerability is related to the ability to perform SQL injections via the sort parameter in plugin versions 2.1.3 to 2.8.2. Insufficient filtering of incoming parameters and errors in preparing SQL queries open the door for unauthorized users to add arbitrary SQL queries and extract confidential information from the database.
Users who have enabled the "Enable custom table for usermeta" option in the plugin settings are particularly at risk.
After responsibly disclosing information about the problem on January 30, 2024, the developers worked hard to fix it and released an update on February 19 that addresses the vulnerability. Users are advised to immediately update the plugin to the latest version to protect against potential threats.
Prior to the publication of their report and the public disclosure of the vulnerability, Wordfence experts have already noted an attempt to exploit this vulnerability, which classifies CVE-2024-1071 as a zero-day vulnerability and makes the update even more critical.
It is noteworthy that in July 2023, a similar vulnerability in the same plugin was already used by attackers to create fake administrative accounts and seize control over sites.
In addition, there has recently been a surge in campaigns to use compromised WordPress sites to implement cryptocurrency "ransomware" and redirect visitors to phishing sites that attack the Web3 ecosystem. And the launch of a new "Drainer-as-a-Service" (DaaS) scheme focused on cryptocurrency fraud further highlights the severity of threats in today's digital space.
To protect your web resources from possible attacks, it is extremely important to constantly monitor news in the field of cybersecurity and install timely updates for the software products used.
A critical vulnerability has been discovered in the popular Ultimate Member plugin for WordPress, which threatens the security of more than 200,000 websites using this extension. The vulnerability, designated CVE-2024-1071, is rated at 9.8 points on the CVSS scale, which indicates its high degree of danger.
The discovery of the problem is credited to security researcher Christian Swiers. Experts from Wordfence, a company specializing in WordPress security, published a detailed report where they revealed the essence of the problem.
As it turned out, the vulnerability is related to the ability to perform SQL injections via the sort parameter in plugin versions 2.1.3 to 2.8.2. Insufficient filtering of incoming parameters and errors in preparing SQL queries open the door for unauthorized users to add arbitrary SQL queries and extract confidential information from the database.
Users who have enabled the "Enable custom table for usermeta" option in the plugin settings are particularly at risk.
After responsibly disclosing information about the problem on January 30, 2024, the developers worked hard to fix it and released an update on February 19 that addresses the vulnerability. Users are advised to immediately update the plugin to the latest version to protect against potential threats.
Prior to the publication of their report and the public disclosure of the vulnerability, Wordfence experts have already noted an attempt to exploit this vulnerability, which classifies CVE-2024-1071 as a zero-day vulnerability and makes the update even more critical.
It is noteworthy that in July 2023, a similar vulnerability in the same plugin was already used by attackers to create fake administrative accounts and seize control over sites.
In addition, there has recently been a surge in campaigns to use compromised WordPress sites to implement cryptocurrency "ransomware" and redirect visitors to phishing sites that attack the Web3 ecosystem. And the launch of a new "Drainer-as-a-Service" (DaaS) scheme focused on cryptocurrency fraud further highlights the severity of threats in today's digital space.
To protect your web resources from possible attacks, it is extremely important to constantly monitor news in the field of cybersecurity and install timely updates for the software products used.
