CVE-2023-3460
published 2023-07-04CVE-2023-3460: The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.31%
99.4th percentile
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ultimatemember | ultimate_member | < 2.6.7 | 2.6.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit POST request to the registration endpoint includes the URL-encoded parameter `wp_c%C3%A0pabilities%5Badministrator%5D=1` (homoglyph 'à' in 'capabilities') to bypass input sanitisation and inject administrator role during account creation. ↗
- →Successful exploitation results in an HTTP 302 redirect response AND a `wordpress_logged_in_<32-hex-chars>` cookie being set in the response headers — monitor for this combination on registration endpoints. ↗
- →Attacker fingerprinting phase uses WPScan (User-Agent WPScan/3.8.24) to probe the target before exploitation; look for requests to `/wp-content/plugins/ultimate-member/readme.txt` as a version-check precursor. ↗
- →Post-exploitation persistence was achieved by writing a PHP webshell to a theme file (`hidden-comments.php`); monitor for unexpected PHP file creation/modification under `/wp-content/themes/` directories. ↗
- →The webshell payload executes `uname -a; w; id; /bin/bash -i` — alert on child processes of web server (e.g., apache2/nginx) spawning `/bin/bash -i` or running `id`/`w`/`uname`. ↗
- →Reverse shell beacon was directed to C2 `43.204.24.76` on port `6969`; monitor outbound connections from web-server processes to this host/port combination. ↗
- →Linux privilege-escalation enumeration script `linenum.sh` was dropped on the compromised host; scan for this filename in web-accessible and temp directories. ↗
- →The backdoor WordPress account was registered with username `secragon`; audit wp_users for accounts with administrator capabilities created after the exploitation window. ↗
- ·The homoglyph bypass character ('à', Unicode U+00E0) used in the `wp_càpabilities` parameter key may vary across exploit variants; defenders should normalise Unicode in POST body parameters before matching. ↗
- ·The exploit dynamically extracts the registration form's `form_id` and `_wpnonce` values from the page before submitting; static signatures matching fixed form IDs will miss real-world attacks. ↗
- ·The vulnerability affects Ultimate Member plugin versions prior to 2.6.7; the observed in-the-wild exploitation used version 2.6.4, confirming pre-patch versions are actively targeted. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-77j3-wqmc-3rp8: The Ultimate Member WordPress plugin before 2
ghsa_unreviewed·2023-07-04
CVE-2023-3460 [CRITICAL] CWE-269 GHSA-77j3-wqmc-3rp8: The Ultimate Member WordPress plugin before 2
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
VulnCheck
The Ultimate Member WordPress plugin before 2.6.7 Privilege Escalation
vulncheck·2023·CVSS 9.8
CVE-2023-3460 [CRITICAL] The Ultimate Member WordPress plugin before 2.6.7 Privilege Escalation
The Ultimate Member WordPress plugin before 2.6.7 Privilege Escalation
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
Affected: Ultimate Member ultimate_member
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited/; https://www.cve.org/CVERecord?id=CVE-2023-3460
Exploit PoC: https://vulncheck.com/xdb/69fdc04696ad;
No detection rules found.
Exploit-DB
Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation
exploitdb·2025-08-03·CVSS 9.8
CVE-2023-3460 [CRITICAL] Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation
Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation
---
#!/usr/bin/env python3
# Exploit Title: Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation
# Exploit Author: Gurjot Singh
# CVE: CVE-2023-3460
# Description : The attached PoC demonstrates how an unauthenticated attacker can escalate privileges to admin by abusing unsanitized input in `wp_capabilities` during registration.
import requests
import argparse
import re
import urllib3
from bs4 import BeautifulSoup
import sys
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def check_password_strength(password):
"""Checks if password meets complexity requirements."""
if len(password) ]', password):
print("[!] Password must contain at least one special character (!@#$%^&* etc.)")
print(" Example:
Nuclei
Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
nuclei·CVSS 9.8
CVE-2023-3460 [CRITICAL] Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
Template:
id: CVE-2023-3460
info:
name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
author: DhiyaneshDk
severity: critical
description: |
The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
impact: |
Unauthenticated users can gain unauthorized access and perform actions with elevated privileges.
remediation: |
Upgrade to Ultimate Member v
Checkpoint
3rd July – Threat Intelligence Report
blogs_checkpoint·2023-07-03
CVE-2020-12641 3rd July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 3rd July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 3rd July, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The LockBit ransomware group has recently claimed responsibility for hacking the Taiwan Semiconductor Manufacturing Company (TSMC), the largest contract chip manufacturer globally, serving tech giants such as Apple and Qualcomm. TSMC denied it was breached by Lockbit, but confirmed that the group has breached one of the company’s I
CTF
Ultimatum / README
ctf_writeups
Ultimatum / README
# Ultimatum
> Write-up author: jon-brandy
## Lessons Learned:
- Reviewing catscale data acquisition.
- Identify CVE version related to ultimate-member plugin.
- Identify backdoor user and persistence activity.
## SCENARIO:
One of the Forela WordPress servers was a target of notorious Threat Actors (TA). The website was running a blog dedicated to the Forela Social Club, where Forela employees can chat and discuss random topics. Unfortunately, it became a target of a threat group. The SOC team believe this was due to the blog running a vulnerable plugin. The IT admin already followed the acquisition playbook and triaged the server for the security team. Ultimately (no pun intended) it is your responsibility to investigate the incident. Step in and confirm the culprits behind the attack
https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7
2023-07-04
Published
Exploited in the wild