MalCare Protects Against Critical Vulnerabilities in Ultimate Membership Pro Plugin

On February 23rd, 2024, two severe security vulnerabilities were found in the Ultimate Membership Pro plugin, affecting versions up to 12.7. These vulnerabilities could allow attackers to upgrade their user privileges and insert harmful PHP code, leading to unauthorized control of your WordPress site.

If you are currently using this plugin, we recommend that you scan your site to identify any issues.

What are the vulnerabilities?

If you’re one of almost 40,000 site owners using the Ultimate Membership Pro plugin, be aware: versions up to 12.7 have two critical vulnerabilities. Privilege escalation and PHP object injection.

What makes these vulnerabilities so severe is the low barrier to entry. Hackers can register themselves on vulnerable sites at any membership level. They can then change user roles to gain complete control of the site. They can also sneak in dangerous code, spreading malware or causing data leaks.

Should you be worried?

Yes. The vulnerabilities in the Ultimate Membership Pro plugin are serious, with CVSS scores of 9.4 and 9, indicating critical threats. 

Hence, you must update the plugin immediately to protect your site from these risks.

What should you do next?

To ensure your site remains secure, it’s important to take action right away. Here’s what you need to do:

What if your site is already compromised?

If you suspect that your site already has faced attacks that exploit these vulnerabilities:

Technical details of the vulnerabilities

Issue

The Ultimate Membership Pro plugin is affected by two critical vulnerabilities: privilege escalation and PHP object injection. These vulnerabilities expose your site to unauthorized access and malicious code execution.

Root cause 

The privilege escalation vulnerability is linked to the setRole and setRoleForRegister functions in the plugin.

When someone signs up on a website using the Ultimate Membership Pro plugin, they fill out information that gets collected as $postData. This information also includes a membership level code. This code gets converted into $levelData, which holds details about what the user can do on the site. 

The problem is that the Ultimate Membership Pro plugin doesn’t verify this information properly. Attackers can exploit this problem to elevate their user roles. For example, they can become an administrator, potentially giving them control over the entire site.

Concurrently, the PHP object injection vulnerability occurs because some of the plugin’s functions can be accessed by anyone, even if they’re not logged into the site. 

This is because they are tied to WordPress parts, like wp_ajax_nopriv or init hooks, that don’t require any login. This oversight means that when users send information through forms or cookies, it isn’t always checked for safety. 

This opens up a path for attackers to insert harmful, disguised data. They can then execute unauthorized commands on the server and potentially gain access to sensitive information.

Timeline

How MalCare protects your site

If you are a MalCare user, your site is already protected against the Ultimate Membership Pro plugin vulnerabilities.

MalCare’s advanced Atomic Security firewall proactively shields your site without any manual intervention.

Additionally: 

How to keep your site secure

Keeping your website protected is an ongoing task that requires a combination of good practices and robust tools. Here’s some general advice to ensure your site remains safe from threats:

• Use a reliable security plugin like MalCare to monitor your site for threats and provide automated updates. These plugins offer real-time protection and help detect vulnerabilities early.
• Always keep your plugins, themes, and WordPress core current. Developers regularly release updates that patch security vulnerabilities, so staying up-to-date is crucial.
• Set complex and unique passwords for your site’s admin accounts, databases, and other sensitive areas. A password manager can help generate and store these securely. Additionally, advise users to create strong passwords and remind them to update their passwords regularly for enhanced security. 
• Enable 2FA on your site. This adds an extra layer of security by requiring a second form of verification when logging in.
• Use a reputable hosting provider that prioritizes security. Good hosts offer features like firewalls, malware scanning, and regular backups.
• Regularly back up your website to ensure you can quickly restore it in the event of a security breach. Automated backup solutions can make this process effortless.
• Regularly audit users and check user permissions on your site to ensure no one has more access than they need. Limit admin rights to only those who absolutely require them.