what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Ultimate Member 2.6.6 Privilege Escalation

WordPress Ultimate Member 2.6.6 Privilege Escalation
Posted Jun 30, 2023
Authored by Marc-Alexandre Montpas, Ramuel Gall, Istvan Marton

WordPress Ultimate Member plugin versions 2.6.6 and below suffer from a privilege escalation vulnerability.

tags | advisory
advisories | CVE-2023-3460
SHA-256 | f5d75217bac851597070df579c5cffbcbc42ab75dddb1476c2fdcaa31a651b75

WordPress Ultimate Member 2.6.6 Privilege Escalation

Change Mirror Download
Description: Ultimate Member <= 2.6.6 – Privilege Escalation via Arbitrary User Meta Updates 

Affected Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Plugin Slug: ultimate-member

Affected Versions: <= 2.6.6

CVE ID: CVE-2023-3460

CVSS Score: 9.8 (Critical)


Researcher/s: Unknown, Marc-Alexandre Montpas

Fully Patched Version: NONE

The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6. This is due to the plugin using a predefined list of user meta keys that are banned which can be bypassed via a few method like adding slashes to the user meta key. This makes it possible for unauthenticated attackers to register on a site as an administrator.

Vulnerable Mechanism

Ultimate Member is a plugin designed to add easy registration and account management to WordPress sites. One of the features is a registration form that users can use to sign up for an account on a WordPress site running the plugin. Unfortunately, this form makes it possible for users to register and set arbitrary user meta values for their account.

While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin.

This makes it possible for attackers to set the wp_capabilities user meta value, which controls the user’s role on the site, to ‘administrator’. This grants the attacker complete access to the vulnerable site when successfully exploited.

Indicators of Compromise

While our attack data is limited at this point, we do have the following indicators of compromise from a separate pre-existing firewall rule that provided partial coverage for this vulnerability. We recommend running a complete Wordfence malware scan to ensure your site is not compromised if you are running Ultimate Member, and keeping an eye out for the following indicators of compromise.

- The most important thing to check for is new user accounts created with administrator privileges.

- We are seeing the following usernames in our attack data:

- wpenginer
- wpadmins
- wpengine_backup
- se_brutal
- segs_brutal

- Access log entries showing attackers hitting a compromised site’s Ultimate Member registration page, which is set on the /register path by default.
- Look for the following IP Addresses in a site’s access logs, or in the Wordfence plugin’s live traffic feed.


- The following domain has been associated with user account email addresses.

- exelica[.]com

- Check for plugins and themes that may not have been installed previously.

If your site has been compromised by this exploit, we offer professional site cleaning services through Wordfence Care, with Wordfence Response providing an expedited turnaround time. Alternatively, if you’re comfortable with doing so we provide instructions on how to clean your site using the free Wordfence plugin.


In today’s PSA, we covered a Critical-severity Privilege Escalation vulnerability in Ultimate Member that is being actively exploited. The vulnerability remains unpatched and can quickly allow unauthenticated users to automatically take over any site with the plugin installed. This means that all 200,000 installations are currently at risk. We recommend verifying that this plugin is not installed on your site until a patch is made available, and forwarding this advisory to anyone you know who manages a WordPress website.

While the firewall rule we released today should protect Wordfence Premium, Wordfence Care, and Wordfence Response users from site takeover, the Ultimate Member plugin contains additional functionality that is impractical to block which could potentially be abused by a sophisticated attacker in combination with vulnerabilities in other software. As such we recommend uninstalling the plugin even if you are protected by our firewall rule, as it minimizes but does not fully eliminate the risk presented by this vulnerability.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Special thank you to Ramuel Gall, Wordfence Senior Security Researcher, and István Márton, Wordfence Vulnerability Researcher, for their assistance reverse engineering this vulnerability and for contributing to this post!

Login or Register to add favorites

File Archive:

November 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    1 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    219 Files
  • 14
    Nov 14th
    19 Files
  • 15
    Nov 15th
    66 Files
  • 16
    Nov 16th
    38 Files
  • 17
    Nov 17th
    9 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    11 Files
  • 22
    Nov 22nd
    56 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    36 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    14 Files
  • 28
    Nov 28th
    30 Files
  • 29
    Nov 29th
    35 Files
  • 30
    Nov 30th
    25 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By