Security Incident Update and Recommended Actions
WPScan has confirmed that the vulnerability issue has been resolved in Ultimate Member Version 2.6.7. More information about this confirmation can be found at https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/.
To our Ultimate Member users,
We have written this document to provide you with some additional information of the security vulnerabilities that were recently disclosed to us.
Firstly, we want to say sorry for these vulnerabilities in our plugin’s code and to any website that has been impacted and the worry this may have caused by learning of the vulnerabilities.
As soon as we were made aware that security vulnerabilities had been discovered in the plugin, we immediately began updating the code to patch the vulnerabilities.
We have released several updates since the disclosure as we worked through the vulnerabilities, and we want to say a big thank you to the team at WPScan for providing assistance and guidance with this after they got in touch to disclose the vulnerabilities.
Below is an overview of the events around this vulnerability as well as emphasizing additional security measures that we're implementing.
We received communication about a "A privilege escalation vulnerability" in the plugin on the 26th of June. We immediately started investigating and undertaking some internal testing whilst awaiting more details.
After receiving more details regarding the ability of attackers being able to use the 'wp_capabiliti\\es' key we released version 2.6.4, which included a fix for that, and we also removed the extract() function from the admin-side of Ultimate Member plugin.
After this release, the WPScan team got in touch to let us know that attackers can still use the wp_caPabilitiEs' key (metakey in the WP database is not case-sensitive). We released 2.6.5 to fix this and also removed the extract() function from the front-end of the plugin.
After this release, further communication with the WPScan team and the creation of this core trac ticket https://core.trac.wordpress.org/ticket/58679#ticket we decided to change the submission handlers in the plugin
Marc Montpas (Automattic) wrote:
To be more clear, I'm not sure it can 100% be fixed without forbidding UTF-8 characters altogether, or, better, implementing an allowlist validation routine pattern to restrict form fields only to a set of known legitimate, rather than potential malicious metas. The problem is the "utf8mb4_unicode_ci" collation WordPress uses has a bunch of other character equivalence quirks like the ones I submitted earlier. For example, another one that could bypass your latest fix are Unicode free-standing underscores, whose encoding follows the letter that needs to be underscored, instead of having one for each character in existence: user_login-29=hackuser19&user_password-29=P@ssw0rd%21&wP_capa%cc%b2bilities-29[administrator]=1&confirm_user_password-29=P@ssw0rd%21&first_name-29=Igor&form_id=29&um_request=&_wpnonce=a918042906&_wp_http_referer=%2fregister%2f There are hundreds of other side-cases like this, and as far as I know, WordPress does not have a function to "normalize" them all in a way that wouldn't cause other side-effects.
Version 2.6.6 was released, which included hotfixes that had been detected after removing the extract function.
Version 2.6.7 has been released on the 1st of July to patch the security vulnerability. 2.6.7 introduces whitelisting for metakeys which we store while sending forms. 2.6.7 also separates form settings data and submitted data and operates them in 2 different variables
3rd Party modifications
The release of 2.6.7 includes some significant changes to how forms submissions are handled. This may cause 3rd-party modifications to stop working. For Third-party developers, please update your customizations to support the new changes in the latest version. If you have a question or want to report a problem, please create a topic on the forum or get in touch via our website. You may find the recent changes with the Ultimate Member hooks in this site.
Additional actions to take for your website and users
As an additional security measure, we will shortly be releasing a feature within the plugin to enable the website admin to reset passwords for all users. The reason for this is a site using our plugin may have been hacked or injected with malware that sniffs login inputs, because this vulnerability issue is prone to these attacks, we recommend to reset passwords after updating with a security patch. This is to ensure the best protection for your website user’s passwords.
In the meantime, whilst we finalize testing on this new feature, we recommend that you follow the steps below to add additional security measures to your site.
We would like to apologize again for the stress and inconvenience this may have caused you and say thank you to everyone for your patience and understanding whilst we are working away on patching these issues. We are very lucky to have such a loyal user base of users with over 200,000 websites using our plugin, and ensuring the plugin is safe and secure to use is of the utmost importance to us. We have learned a lot from this recent security vulnerability disclosure and will be working hard to ensure the security of our plugin moving forward.