A high-severity vulnerability in the Ultimate Member plugin can be exploited to inject malicious scripts into WordPress sites, the Wordfence team at WordPress security firm Defiant warns.
Tracked as CVE-2024-2123, the vulnerability is described as a stored cross-site scripting (XSS) issue via several parameters, allowing attackers to inject web scripts into a site’s pages, to be executed whenever those pages are loaded.
The flaw, Wordfence explains, exists because of insufficient input sanitization and output escaping. An insecure implementation of the plugin’s members directory list functionality enables unauthenticated attackers to inject web scripts.
Because the “user display name is displayed unescaped in the plugin template files” and because functions used to compile user data use no escape function either, an attacker can provide a malicious script as a user name during the registration process.
Typically, XSS flaws such as CVE-2024-2123 can be exploited to inject code to create new administrative accounts, redirect visitors to malicious sites, or inject backdoors, Wordfence notes.
“Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited,” Wordfence notes.
The security defect was submitted via the Wordfence bug bounty program on February 28. The plugin’s developers were informed of the bug on March 2 and a patch was released on March 6.
The flaw impacts Ultimate Member versions 2.8.3 and prior. Users are advised to update to Ultimate Member 2.8.4 as soon as possible.
A user profile and membership WordPress plugin supporting user registration, logins, profiles, and more, Ultimate Member has more than 200,000 active installations.
According to WordPress’ statistics, the plugin has been downloaded roughly 100,000 times over the past seven days, suggesting that half of its users remain vulnerable to CVE-2024-2123.
Related: Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin
Related: Websites Hacked via Vulnerability in Bricks Builder WordPress Plugin
Related: Flaws in Backup Migration and Elementor WordPress Plugins Allow Remote Code Execution