Cyber Resilience

CVE-2023-3460

CriticalPublic PoC

Published: 04 July 2023

Published
04 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9297 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3460 is a critical-severity an unspecified weakness vulnerability in Ultimatemember Ultimate Member. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Ultimate Member WordPress plugin before version 2.6.7 contains a flaw that allows visitors to register accounts with arbitrary role capabilities. This affects any site running the vulnerable plugin and carries a CVSS 3.1 score of 9.8 reflecting network-accessible exploitation without authentication or user interaction.

Unauthenticated remote attackers can therefore create administrator accounts at will, granting them full control over the WordPress installation including plugin installation, content modification, and user management. The supplied references document an active exploitation campaign targeting this issue.

Advisories published by WPScan describe the ongoing attacks and point to the availability of a fixed release. Site operators are expected to update the plugin to version 2.6.7 or later to close the registration bypass.

The vulnerability is noted as actively exploited in the wild, consistent with its current and peak EPSS score of 0.9297.

EU & UK References

Vulnerability details

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ultimatemember
ultimate member
≤ 2.6.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References