cbcvebase.
CVE-2023-3460
published 2023-07-04

CVE-2023-3460: The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.31%
99.4th percentile
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

Affected

1 ranges
VendorProductVersion rangeFixed in
ultimatememberultimate_member< 2.6.72.6.7

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/ultimate-member
url/wp-content/plugins/ultimate-member/readme.txt
url/index.php/register/
  • Exploit POST request to the registration endpoint includes the URL-encoded parameter `wp_c%C3%A0pabilities%5Badministrator%5D=1` (homoglyph 'à' in 'capabilities') to bypass input sanitisation and inject administrator role during account creation.
  • Successful exploitation results in an HTTP 302 redirect response AND a `wordpress_logged_in_<32-hex-chars>` cookie being set in the response headers — monitor for this combination on registration endpoints.
  • Attacker fingerprinting phase uses WPScan (User-Agent WPScan/3.8.24) to probe the target before exploitation; look for requests to `/wp-content/plugins/ultimate-member/readme.txt` as a version-check precursor.
  • Post-exploitation persistence was achieved by writing a PHP webshell to a theme file (`hidden-comments.php`); monitor for unexpected PHP file creation/modification under `/wp-content/themes/` directories.
  • The webshell payload executes `uname -a; w; id; /bin/bash -i` — alert on child processes of web server (e.g., apache2/nginx) spawning `/bin/bash -i` or running `id`/`w`/`uname`.
  • Reverse shell beacon was directed to C2 `43.204.24.76` on port `6969`; monitor outbound connections from web-server processes to this host/port combination.
  • Linux privilege-escalation enumeration script `linenum.sh` was dropped on the compromised host; scan for this filename in web-accessible and temp directories.
  • The backdoor WordPress account was registered with username `secragon`; audit wp_users for accounts with administrator capabilities created after the exploitation window.
  • ·The homoglyph bypass character ('à', Unicode U+00E0) used in the `wp_càpabilities` parameter key may vary across exploit variants; defenders should normalise Unicode in POST body parameters before matching.
  • ·The exploit dynamically extracts the registration form's `form_id` and `_wpnonce` values from the page before submitting; static signatures matching fixed form IDs will miss real-world attacks.
  • ·The vulnerability affects Ultimate Member plugin versions prior to 2.6.7; the observed in-the-wild exploitation used version 2.6.4, confirming pre-patch versions are actively targeted.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.