Authors of the Final Member plugin have released version 2.6.7 with a patch for a privilege escalation vulnerability. Final week WPScan reported that Ultimate Member had still not fully patched the vulnerability after a number of insufficient makes an attempt. There was proof that it was being actively exploited within the wild.
Working by way of the complexities of this safety problem, WPScan researcher Marc Montpas opened a ticket on WordPress trac, figuring out a problem with the meta key discipline within the usermeta desk utilizing accent insensitive collations:
Wanting on the newest string of vulnerability points that got here up associated to the Final Member plugin I found that the usermeta desk has an accent insensitive collation for the
meta_keydiscipline. This leads to queries for
wp_cãpăbilitiësto return the precise
update_metadata()operate in wp-includes/meta.php
Think about the assault floor this brings. The truth is, don’t think about, simply have a look at the latest assaults within the wild.
This explicit problem made it tougher to totally patch the vulnerability in query. Final Member launched model 2.6.7 on July 1, 2023, which whitelists for metakeys the plugin shops whereas sending kinds. The plugin’s safety advisory particulars just a few different modifications which will have an effect on third-party builders:
2.6.7 additionally separates kind settings information and submitted information and operates them in 2 completely different variables.
[It] consists of some vital modifications to how kinds submissions are dealt with. This may occasionally trigger Third-party modifications to cease working. For Third-party builders, please replace your customizations to help the brand new modifications within the newest model
Final Member recommends customers evaluation and delete any unknown administrator accounts, reset all consumer passwords together with the admin, allow SSL and backups, and ship any advisories to web site members and/or clients in regards to the incident. The plugin’s builders are engaged on releasing a function contained in the plugin that may allow the web site admin to reset passwords for all customers, however it’s nonetheless being finalized:
The rationale for it is a web site utilizing our plugin might have been hacked or injected with malware that sniffs login inputs, as a result of this vulnerability problem is inclined to those assaults, we suggest to reset passwords after updating with a safety patch. That is to make sure the very best safety in your web site consumer’s passwords.
All Final Member customers ought to replace to the most recent out there model, 2.6.7, which has the patch for the vulnerability. The plugin’s builders are awaiting extra suggestions from WPScan and are evaluating all their extensions to make sure they’re safe.