Home » News » Over 200,000 WordPress Accounts at Risk Thanks to Plugin Vulnerability

Over 200,000 WordPress Accounts at Risk Thanks to Plugin Vulnerability

If you click to purchase a product or service based on our independent recommendations and impartial reviews, we may receive a commission. Learn more

headshot of Sam Jagger
Written by
Updated on July 13, 2023
Straight to your inbox
Smartphone sits on an open laptop, with the Website Builder Expert newlsetter open on both screens

Sign up to Website Builder Expert’s weekly newsletter

Get the latest tips and industry insights about building traffic to your website

SUBSCRIBE
Written and researched by:
headshot of Sam Jagger

icon comments svg Comments: 0

A creepy illustrated man steps out form inside a phone next to the WordPress logo
  • Ultimate Member, a WordPress plugin with over 200,000 active installations, has had a security vulnerability exploited by hackers.
  • The vulnerability allowed hackers to gain admin-level privileges to all the user’s accounts and websites, even after a patch intended to stop them was released on June 28th.

Ultimate Member, a membership area plugin for WordPress, has had a security vulnerability exploited by hackers, giving them access to over 200,000 active users’ websites and account information. 

Ultimate Member is a popular membership plugin allowing users to create subscription sites and membership areas for their visitors. However, a fatal flaw was discovered in which visitors could essentially give themselves Administrator clearance across the site, giving them full access to the site’s information and also the original owner’s personal information. 

WordPress users rely on plugins for most of their website’s features, so potential safety flaws in one could expose flaws in others, which is a scary reality that WordPress users had to face in light of this news.

Wordfence, a global team of WordPress security experts and analysts, described the steps the hackers were taking to get Administrator access – the highest level of clearance on a WordPress site – as “trivial”. 

The Ultimate Member publishers found the patch by late June 2023, but by that point, it was too late. An update patch released on the 28th of June was intended to fix it, but Wordfence analysts later revealed that it had done nothing, stating:

Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing

The Ultimate Member publishers issued a public apology on behalf of those users affected, saying that they had

“released several updates since the disclosure as we worked through the vulnerabilities”.

As of yet, the exploits are still ongoing. The current advice for those that have the plugin is to uninstall it immediately. 

Written by:
headshot of Sam Jagger
Being a Writer for Website Builder Expert isn’t just typing words on a laptop. Each day, I’m finding new and innovative ways to help you get online in a mode you feel comfortable with. And it’s a task I do with enthusiasm and gusto. Not only do I have experience building with all the providers we talk about - creating websites such as this Strikingly demo - but we also have our wonderful, constantly updated research fielded by our researchers, so you can be reassured that what we say is an honest reflection of our professional opinions. I’ve written articles and featured guest posts for apps like UXPin on web design in the modern age, as well as answered over 100 user comments on the site and delved into the world of choosing a domain name and adding Bitcoin payments to your site in my own pitched articles. All of this is to say that when I want to get you online - I mean it! Outside the office, I have attended the eCommerce Expo and built up a ton of industry knowledge through talks, workshops, and guided learning sessions with noted experts. The internet is made for everyone, so come online and let us help you get there.

Leave a comment

Your email address will not be published. Required fields are marked *