Skip to content Skip to footer

Attention: A severe SQL injection vulnerability puts over 200,000 websites at risk in WordPress plugins.

A recent security flaw has come to light in the Ultimate Member plugin, which has over 200,000 active installations. Identified as -2024-1071, the vulnerability has a high CVSS score of 9.8 out of 10. The flaw was discovered and reported by security researcher Christiaan Swiers. The flaw has been disclosed by security company Wordfence, which stated that versions 2.1.3 to 2.8.2 of the plugin are susceptible to via the ‘sorting' parameter due to insufficient escaping and lack of sufficient preparation on the existing SQL query.

This critical security flaw could allow unauthenticated attackers to append additional SQL queries to existing queries and extract sensitive data from the database. However, it is essential to note that this issue only affects users who have checked the “Enable custom table for user meta” option in the plugin settings.

The plugin have released a fix for the flaw with version 2.8.3 following responsible disclosure on January 30, 2024. Users are advised to update the plugin to the latest version as soon as possible to mitigate potential threats. Wordfence has blocked one attack attempting to the flaw over the past 24 hours.

In July 2023, another security flaw (-2023-3460, CVSS score: 9.8) was also found in the same plugin, actively exploited by threat actors to create rogue admin users and take control of vulnerable sites.

This recent development comes amidst a surge in a new campaign that leverages compromised sites to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 sites containing drainers. Sucuri researcher Denis Sinegubko stated, “These attacks leverage phishing tactics and malicious injections to the Web3 ecosystem's reliance on direct wallet interactions, presenting a significant risk to both website owners and the safety of user assets.”

Furthermore, researchers have discovered a new drainer-as-a-service (DaaS) scheme called CG, which runs a 10,000-member-strong affiliate program comprising Russian, English, and Chinese speakers. One of the threats actor-controlled Telegram channels “refers attackers to a telegram bot that enables them to run their fraud operations without any third-party dependencies,” as stated in a report by Cyfirma last month.

The threat group has also been using two custom Telegram bots called SiteCloner and CloudflarePage to clone an existing, legitimate website and add Cloudflare protection to it, respectively. These pages are distributed mainly using compromised X (formerly Twitter) accounts. Therefore, it is crucial to stay vigilant and keep all software up to date to avoid any potential threats.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

I know kung-fuNeo

Deitasoft © 2024. All Rights Reserved.