Discover a Critical Security Vulnerability in Ultimate Member WordPress Plugin
A critical vulnerability has been unearthed in the widely-used WordPress plugin, Ultimate Member, boasting over 200,000 active installations. This vulnerability, identified as CVE-2024-2123, poses a severe threat as it allows malicious actors to inject harmful scripts, effectively executing cross-site scripting (XSS) attacks.
Security researchers have raised the alarm on this issue, emphasizing its potential to inject malicious scripts on every page load. Furthermore, the vulnerability stems from inadequate input data handling and output sanitization within the user list functionality. Exploiting this flaw enables unauthorized parties to inject malicious scripts, typically during user registration, due to improper sanitization of displayed usernames in file templates.
These vulnerabilities often lead to the creation of administrator-level accounts, redirection to phishing sites, and insertion of backdoors. The affected versions include Ultimate Member up to 2.8.3, prompting users to promptly update to version 2.8.4 to mitigate risks.
Moreover, website administrators can adopt proactive measures to bolster their WordPress site security. Embracing solutions like WebTotem, a robust security plugin, can provide comprehensive protection. WebTotem conducts automatic scans, identifying all installed plugins and their versions, thereby offering insights into potential vulnerabilities. By leveraging WebTotem’s advanced security features, website owners can strengthen their defenses against potential threats and ensure a safer online environment
