The article discusses a recent submission of an unauthenticated SQL Injection vulnerability in the Ultimate Member WordPress plugin. The vulnerability allows attackers to extract sensitive data from the database, such as password hashes. The discovery was made by Christiaan Swiers, who earned a bounty of $2,063.00 during the Wordfence Bug Bounty Program Extravaganza.
Wordfence Premium, Wordfence Care, and Wordfence Response users received protection against this vulnerability on January 30, 2024, with free users set to receive the same protection on February 29, 2024. The Ultimate Member Team promptly responded and released a patch on February 19, 2024.
The vulnerability stems from insufficient escaping on user-supplied parameters and the lack of proper preparation on existing SQL queries within versions 2.1.3 to 2.8.2 of the plugin. Exploiting this flaw could allow attackers to append additional SQL queries to extract information from the database.
A technical analysis reveals the specific functionality within the plugin that is vulnerable to SQL injection. The plugin’s implementation of user queries without proper sanitization opens the door for attackers to execute malicious SQL queries. The blog post also details the steps an attacker might take to exploit this vulnerability and how the Wordfence firewall can block such attempts.
The disclosure timeline outlines the communication between Wordfence and the Ultimate Member Team regarding the vulnerability and the subsequent patch release. Users are advised to update to version 2.8.3 of the Ultimate Member plugin to mitigate the risk of exploitation.
Overall, the article emphasizes the importance of keeping WordPress plugins updated to prevent security risks and encourages sharing the information with others to ensure site security. Wordfence users have been provided with protection, and users of the free version will receive the same safeguarding measures at a later date.
Read Full Article