Over 200,000 WordPress sites are vulnerable to ongoing attacks targeting the Ultimate Member Plugin. The service allows users to easily add profiles, define roles, and create member directories. CVE-2023-3460 allows hackers to add new administrative accounts to the user group.

WPScan, WordPress’s security firm, says that the bug is rooted in a conflict between the plugin’s blocklist logic and WordPress metadata keys. Hackers can exploit operational differences between the plugin and WordPress to trick Ultimate Member into updating the metadata keys. These keys include data that contain user role and capability information. WordPress advised site owners to disable the problematic plugin and closely monitor administrative accounts on their websites.

Read More: