CVE-2023-3460
Published: 04 July 2023
Summary
CVE-2023-3460 is a critical-severity an unspecified weakness vulnerability in Ultimatemember Ultimate Member. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Ultimate Member WordPress plugin before version 2.6.7 contains a flaw that allows visitors to register accounts with arbitrary role capabilities. This affects any site running the vulnerable plugin and carries a CVSS 3.1 score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.
Unauthenticated remote attackers can therefore create administrator accounts at will, granting them full control over the WordPress installation including plugin installation, content modification, and user management. The supplied references document an active exploitation campaign targeting this issue.
Advisories published by WPScan describe the ongoing attacks and point to the availability of a fixed release. Site operators are expected to update the plugin to version 2.6.7 or later to close the registration bypass.
The vulnerability is noted as actively exploited in the wild, consistent with its current and peak EPSS score of 0.9297.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44122
Vulnerability details
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.