Security Incident Update and Recommended Actions

WPScan has confirmed that the vulnerability issue has been resolved in Ultimate Member Version 2.6.7. More information about this confirmation can be found at https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/.

To our Ultimate Member users,

We have written this document to provide you with some additional information of the security vulnerabilities that were recently disclosed to us.

Firstly, we want to say sorry for these vulnerabilities in our plugin’s code and to any website that has been impacted and the worry this may have caused by learning of the vulnerabilities.

As soon as we were made aware that security vulnerabilities had been discovered in the plugin, we immediately began updating the code to patch the vulnerabilities.

We have released several updates since the disclosure as we worked through the vulnerabilities, and we want to say a big thank you to the team at WPScan for providing assistance and guidance with this after they got in touch to disclose the vulnerabilities.

Below is an overview of the events around this vulnerability as well as emphasizing additional security measures that we're implementing.

Overview

We received communication about a "A privilege escalation vulnerability" in the plugin on the 26th of June. We immediately started investigating and undertaking some internal testing whilst awaiting more details.

After receiving more details regarding the ability of attackers being able to use the 'wp_capabiliti\\es' key we released version 2.6.4, which included a fix for that, and we also removed the extract() function from the admin-side of Ultimate Member plugin.

After this release, the WPScan team got in touch to let us know that attackers can still use the wp_caPabilitiEs' key (metakey in the WP database is not case-sensitive). We released 2.6.5 to fix this and also removed the extract() function from the front-end of the plugin.

After this release, further communication with the WPScan team and the creation of this core trac ticket https://core.trac.wordpress.org/ticket/58679#ticket we decided to change the submission handlers in the plugin

Marc Montpas (Automattic) wrote:

To be more clear, I'm not sure it can 100% be fixed without forbidding UTF-8 characters altogether, or, better, implementing an allowlist validation routine pattern to restrict form fields only to a set of known legitimate, rather than potential malicious metas. 

The problem is the "utf8mb4_unicode_ci" collation WordPress uses has a bunch of other character equivalence quirks like the ones I submitted earlier.  For example, another one that could bypass your latest fix are Unicode free-standing underscores, whose encoding follows the letter that needs to be underscored, instead of having one for each character in existence: 

user_login-29=hackuser19&user_password-29=P@ssw0rd%21&wP_capa%cc%b2bilities-29[administrator]=1&confirm_user_password-29=P@ssw0rd%21&first_name-29=Igor&form_id=29&um_request=&_wpnonce=a918042906&_wp_http_referer=%2fregister%2f  


There are hundreds of other side-cases like this, and as far as I know, WordPress does not have a function to "normalize" them all in a way that wouldn't cause other side-effects.

Version 2.6.6 was released, which included hotfixes that had been detected after removing the extract function.

Version 2.6.7 has been released on the 1st of July to patch the security vulnerability. 2.6.7 introduces whitelisting for metakeys which we store while sending forms. 2.6.7 also separates form settings data and submitted data and operates them in 2 different variables

3rd Party modifications

The release of 2.6.7 includes some significant changes to how forms submissions are handled. This may cause 3rd-party modifications to stop working. For Third-party developers, please update your customizations to support the new changes in the latest version. If you have a question or want to report a problem, please create a topic on the forum or get in touch via our website. You may find the recent changes with the Ultimate Member hooks in this site.

Additional actions to take for your website and users

As an additional security measure, we will shortly be releasing a feature within the plugin to enable the website admin to reset passwords for all users. The reason for this is a site using our plugin may have been hacked or injected with malware that sniffs login inputs, because this vulnerability issue is prone to these attacks, we recommend to reset passwords after updating with a security patch. This is to ensure the best protection for your website user’s passwords.

In the meantime, whilst we finalize testing on this new feature, we recommend that you follow the steps below to add additional security measures to your site.

  • Review & Delete Unknown Administrator accounts - The latest security vulnerability issue allows attackers to inject an administrator account to a WordPress site with Ultimate Member plugin prior to version 2.6.7. We recommend that you review all site administrators and delete those unknown accounts. 
  • Reset All User Passwords (including your own admin account password) - We recommend that you reset all user passwords and have users set a new password via the reset password mechanism. We will be introducing a feature in the plugin to enable this shortly. 
  • Install & Active Security Plugins - We recommend that you install Security plugins such as WPScan or WordFence to help your site detect suspicious activities. You may also try this plugin to help protect against XSS injections. 
  • SSL Protection - Ensure that your site runs on SSL certificates. SSL certificates will protect the sensitive data transmitted from and to your website. You can ask your hosting provider to assist you with setting up SSL on your server. 
  • Daily Site Files & Database Backup - It's one of the best practices to create daily backups of your site in case anything happens, you can restore your site to a stable version. 
  • Send Advisories to your site members/customers about the incident - We recommend that you inform your customers or site members about this incident and provide instructions on how to reset their passwords on your site. It's best to ask them to use a different password—not the same as their old password.


    What’s next?
    • We are awaiting feedback from WPScan on the version 2.6.7 release and are continuing to evaluate our plugin for other potential security vulnerabilities. We are also going to be evaluating all our extensions for increased security measures.

    Thank you

    We would like to apologize again for the stress and inconvenience this may have caused you and say thank you to everyone for your patience and understanding whilst we are working away on patching these issues. We are very lucky to have such a loyal user base of users with over 200,000 websites using our plugin, and ensuring the plugin is safe and secure to use is of the utmost importance to us. We have learned a lot from this recent security vulnerability disclosure and will be working hard to ensure the security of our plugin moving forward.