The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
References
Link | Resource |
---|---|
https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/ | Third Party Advisory |
https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 | Exploit Patch |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2023-07-04T07:23:28.852Z
Updated: 2023-07-04T07:23:28.852Z
Reserved: 2023-06-29T13:45:40.301Z
Link: CVE-2023-3460
JSON object: View
NVD Information
Status : Modified
Published: 2023-07-04T08:15:10.573
Modified: 2023-11-07T04:18:46.730
Link: CVE-2023-3460
JSON object: View
Redhat Information
No data.
CWE
No CWE.