This week started off with the disclosure of three vulnerabilities in WordPress. WordPence declared that vulnerabilities affecting a community plugin called Ultimate Member have been patched. These vulnerabilities were critical & severe & could’ve allowed unauthorized users to gain administrator-level access on websites. This would have deemed them capable of making critical changes in the websites. 

All versions of WordPress 2.1.11 or lower have been affected by these vulnerabilities. Two of the three vulnerabilities were unauthenticated exploits while the remaining one was an authenticated exploit. WordPress has patched these vulnerabilities in the system & has asked the users to update their systems in due time. 

Up to 100,000 users under risk

The said plugin Ultimate Member is used by up to 100,000 users globally, putting all of them at risk. This plugin was designed as a community plugin that provides certain users with greater access to services on websites. It can be used by WordPress publishers in scenarios like Subscription, wherein Subscribers get greater access to the website. 

Along with this, they get membership privileges like publishing on the site. Site owners can also create custom roles and also automatically create three forms, viz. User Registration, User Login and Profile Management.

After being affected by the vulnerability, these users at various levels can exploit their privileges. Attackers can exploit this factor & acquire greater privileges on the website while registering in role parameters. This would allow the attacker to gain administrator privileges & make any changes on the website including the introduction of certain malware

WordPress launches update to Patch Vulnerabilities

WordPence first discovered the three vulnerabilities on the 23rd of October & confirmed them by the 26th of October. Of these, 1 vulnerability was an authenticated exploit meaning that it only allowed registered users to exploit their privileges. But the remaining 2 vulnerabilities were unauthenticated exploits meaning even the unregistered users could exploit their privileges to gain administrator privileges on the websites. 

Also read,

Once the vulnerabilities were disclosed to WordPress, they soon released an update patching these vulnerabilities.  The update was released on the 9th of November & all WordPress users were urged to update their system to the latest 2.1.12 version. By updating their systems, one can easily ensure the safety of their sites on WordPress. 

WordPress has acted impeccably in order to patch the vulnerabilities in due time. Though no reports of vulnerabilities being exploited have come to light, it is of significance to safeguard your systems by updating. We urge all WordPress users to update their systems for the same. It was a big feat on WordPress’s end to prioritize their users’ data & fix the vulnerabilities soon.