MalCare Protects Against Critical Vulnerabilities in Ultimate Membership Pro Plugin

by

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

MalCare Guards Against Critical Privilege Escalation and PHP Object Injection Vulnerabilities in Ultimate Membership Pro Plugin

On February 23rd, 2024, two severe security vulnerabilities were found in the Ultimate Membership Pro plugin, affecting versions up to 12.7. These vulnerabilities could allow attackers to upgrade their user privileges and insert harmful PHP code, leading to unauthorized control of your WordPress site.

If you are currently using this plugin, we recommend that you scan your site to identify any issues.

What are the vulnerabilities?

Ultimate Membership pro plugin
Ultimate Membership Pro plugin

If you’re one of almost 40,000 site owners using the Ultimate Membership Pro plugin, be aware: versions up to 12.7 have two critical vulnerabilities. Privilege escalation and PHP object injection.

What makes these vulnerabilities so severe is the low barrier to entry. Hackers can register themselves on vulnerable sites at any membership level. They can then change user roles to gain complete control of the site. They can also sneak in dangerous code, spreading malware or causing data leaks.

Should you be worried?

Yes. The vulnerabilities in the Ultimate Membership Pro plugin are serious, with CVSS scores of 9.4 and 9, indicating critical threats

Hence, you must update the plugin immediately to protect your site from these risks.

What should you do next?

To ensure your site remains secure, it’s important to take action right away. Here’s what you need to do:

  • Immediately upgrade the Ultimate Membership Pro plugin to version 16.8. This update includes patches for the identified vulnerabilities and helps secure your site.
  • Use an activity log to detect any unusual activities that could threaten your site. This will help identify any attempts to exploit the vulnerabilities.
MalCare activity log
MalCare activity log

What if your site is already compromised?

If you suspect that your site already has faced attacks that exploit these vulnerabilities:

  • Install a robust security plugin. This will help you monitor your site continuously and block future attacks. 
  • Strengthen passwords. Change all your passwords including those for hosting and the database into something unique and complex.
  • Run a comprehensive malware scan using the security plugin and remove any detected threats.
  • Ensure all plugins, including Ultimate Membership Pro, are updated to their latest versions after restoring your site.

Technical details of the vulnerabilities

Issue

The Ultimate Membership Pro plugin is affected by two critical vulnerabilities: privilege escalation and PHP object injection. These vulnerabilities expose your site to unauthorized access and malicious code execution.

Root cause 

The privilege escalation vulnerability is linked to the setRole and setRoleForRegister functions in the plugin.

When someone signs up on a website using the Ultimate Membership Pro plugin, they fill out information that gets collected as $postData. This information also includes a membership level code. This code gets converted into $levelData, which holds details about what the user can do on the site. 

The problem is that the Ultimate Membership Pro plugin doesn’t verify this information properly. Attackers can exploit this problem to elevate their user roles. For example, they can become an administrator, potentially giving them control over the entire site.

Vulnerable code
Vulnerable code 1
Vulnerable code 2
Vulnerable code 2

Concurrently, the PHP object injection vulnerability occurs because some of the plugin’s functions can be accessed by anyone, even if they’re not logged into the site. 

This is because they are tied to WordPress parts, like wp_ajax_nopriv or init hooks, that don’t require any login. This oversight means that when users send information through forms or cookies, it isn’t always checked for safety. 

This opens up a path for attackers to insert harmful, disguised data. They can then execute unauthorized commands on the server and potentially gain access to sensitive information.

Vulnerable code 3
Vulnerable code 3

Timeline

  • Rafie Muhammad, a WordPress security researcher, discovers vulnerabilities in the Ultimate Membership Pro plugin and reports them to Patchstack on February 23rd, 2024.
  • Patchstack informs WPIndeed, the plugin developers, and publishes information on their database on August, 12th, 2024.
  • WPIndeed releases v16.8 of the plugin on September 3rd, 2024 to patch the vulnerabilities.

How MalCare protects your site

If you are a MalCare user, your site is already protected against the Ultimate Membership Pro plugin vulnerabilities.

MalCare’s advanced Atomic Security firewall proactively shields your site without any manual intervention.

Additionally: 

  • MalCare blocks any unauthorized attempts to change user roles. This stops any privilege escalation attempt right in its tracks.
  • MalCare detects and prevents harmful code from being inserted into your site.
  • MalCare constantly scans for threats and blocks them from being exploited.
MalCare Malware scanner
MalCare Malware scanner

How to keep your site secure

Keeping your website protected is an ongoing task that requires a combination of good practices and robust tools. Here’s some general advice to ensure your site remains safe from threats:

  • Use a reliable security plugin like MalCare to monitor your site for threats and provide automated updates. These plugins offer real-time protection and help detect vulnerabilities early.
  • Always keep your plugins, themes, and WordPress core current. Developers regularly release updates that patch security vulnerabilities, so staying up-to-date is crucial.
  • Set complex and unique passwords for your site’s admin accounts, databases, and other sensitive areas. A password manager can help generate and store these securely. Additionally, advise users to create strong passwords and remind them to update their passwords regularly for enhanced security. 
  • Enable 2FA on your site. This adds an extra layer of security by requiring a second form of verification when logging in.
  • Use a reputable hosting provider that prioritizes security. Good hosts offer features like firewalls, malware scanning, and regular backups.
  • Regularly back up your website to ensure you can quickly restore it in the event of a security breach. Automated backup solutions can make this process effortless.
  • Regularly audit users and check user permissions on your site to ensure no one has more access than they need. Limit admin rights to only those who absolutely require them.

Category:

You may also like


How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.