Connect with us

Hi, what are you looking for?



Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks

A high-severity XSS vulnerability in the Ultimate Member plugin allows attackers to inject scripts into WordPress sites.

A high-severity vulnerability in the Ultimate Member plugin can be exploited to inject malicious scripts into WordPress sites, the Wordfence team at WordPress security firm Defiant warns.

Tracked as CVE-2024-2123, the vulnerability is described as a stored cross-site scripting (XSS) issue via several parameters, allowing attackers to inject web scripts into a site’s pages, to be executed whenever those pages are loaded.

The flaw, Wordfence explains, exists because of insufficient input sanitization and output escaping. An insecure implementation of the plugin’s members directory list functionality enables unauthenticated attackers to inject web scripts.

Because the “user display name is displayed unescaped in the plugin template files” and because functions used to compile user data use no escape function either, an attacker can provide a malicious script as a user name during the registration process.

Typically, XSS flaws such as CVE-2024-2123 can be exploited to inject code to create new administrative accounts, redirect visitors to malicious sites, or inject backdoors, Wordfence notes.

“Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited,” Wordfence notes.

The security defect was submitted via the Wordfence bug bounty program on February 28. The plugin’s developers were informed of the bug on March 2 and a patch was released on March 6.

The flaw impacts Ultimate Member versions 2.8.3 and prior. Users are advised to update to Ultimate Member 2.8.4 as soon as possible.

Advertisement. Scroll to continue reading.

A user profile and membership WordPress plugin supporting user registration, logins, profiles, and more, Ultimate Member has more than 200,000 active installations.

According to WordPress’ statistics, the plugin has been downloaded roughly 100,000 times over the past seven days, suggesting that half of its users remain vulnerable to CVE-2024-2123.

Related: Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin

Related: Websites Hacked via Vulnerability in Bricks Builder WordPress Plugin

Related: Flaws in Backup Migration and Elementor WordPress Plugins Allow Remote Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.