A critical security flaw has been found in a popular WordPress plugin called Ultimate Member that has more than 200,000 active installations.
The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a possible 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw.
In an advisory published last week, WordPress security firm Wordfence said the plugin is “vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping of the provided parameter by the user and lack of sufficient preparation on the existing SQL query.”
As a result, unauthenticated attackers could take advantage of the flaw to add additional SQL queries to existing queries and extract sensitive data from the database.
It’s worth noting that the issue only affects users who have checked the “Enable custom table for usermeta” option in the plugin settings.
Following the responsible communication on January 30, 2024, the plugin developers made a fix for the flaw available with the release of version 2.8.3 on February 19.
Users are advised to update the plugin to the latest version as soon as possible to mitigate potential threats, especially in light of the fact that Wordfence has already blocked an attack attempting to exploit the flaw in the last 24 hours.
In July 2023, another flaw of the same plugin (CVE-2023-3460, CVSS score: 9.8) was actively exploited by threat actors to create unauthorized administrator users and take control of vulnerable sites.
The development comes amid a surge in a new campaign that leverages compromised WordPress sites to directly inject cryptocurrency drain programs like Angel Drainer or redirect site visitors to Web3 phishing sites that contain drain programs.
“These attacks leverage phishing tactics and malicious injections to exploit the Web3 ecosystem’s reliance on direct wallet interactions, presenting significant risk to both website owners and the security of user assets,” the researcher said. Sucuri Denis Sinegubko.
It also follows the discovery of a new Drainer-as-a-Service (DaaS) scheme called CG (short for CryptoGrab) that runs a 10,000-member affiliate program made up of Russian, English and Chinese speakers.
One of the Telegram channels controlled by the threat actors “refers attackers to a Telegram bot that allows them to execute their fraud operations without third-party dependencies,” Cyfirma said in a report late last month.
“The bot allows the user to get a domain for free, clone an existing template for the new domain, set the wallet address to which the scammed funds should be sent, and also provides Cloudflare protection for that new domain.”
The threat group was also observed to use two custom Telegram bots called SiteCloner and CloudflarePage to clone an existing legitimate website and add Cloudflare protection to it, respectively. These pages are then mainly distributed using compromised X (formerly Twitter) accounts.