CVE-2023-3460
Published on: Not Yet Published
Last Modified on: 07/14/2023 02:44:00 PM UTC
Certain versions of Ultimate Member from Ultimatemember contain the following vulnerability:
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
- CVE-2023-3460 has been assigned by
con[email protected] to track the vulnerability - currently rated as CRITICAL severity. - Affected Vendor/Software: Unknown - Ultimate Member version < 2.6.7
CVSS3 Score: 9.8 - CRITICAL
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | LOW | NONE | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Hacking Campaign Actively Exploiting Ultimate Member Plugin - WPScan WordPress Security | blog.wpscan.com text/html |
MISC blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/ |
| Ultimate Member <= 2.6.6 - Unauthenticated Privilege Escalation WordPress Security Vulnerability | web.archive.org text/html Inactive LinkNot Archived |
MISC wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 |
Related QID Numbers
- 730836 WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation Vulnerability
Exploit/POC from Github
Exploit for CVE-2023-3460. Unauthorized admin access for Ultimate Member plugin < v2.6.7
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ultimatemember | Ultimate Member | All | All | All | All |
- cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @the_yellow_fall |
CVE-2023-3460: An Ongoing Exploitation of WordPress Plugin's Privilege Escalation Flaw securityonline.info/cve-2023-3460-…… twitter.com/i/web/status/1… | 2023-06-30 19:32:33 |
| @fridaysecurity |
? CVE-2023-3460: An Ongoing Exploitation of WordPress Plugin’s Privilege Escalation Flaw securityonline.info/cve-2023-3460-…… twitter.com/i/web/status/1… | 2023-06-30 19:40:10 |
| @Komodosec |
#Vulnerability #CVE20233460 CVE-2023-3460: An Ongoing Exploitation of WordPress Plugin’s Privilege Escalation Flaw securityonline.info/cve-2023-3460-… | 2023-07-01 06:38:02 |
| @0xedeon |
#WordPress #SecurityAlert #UltimateMember #CVE-2023-3460 #ExploitAlert: 200K WordPress sites are at risk of attack… twitter.com/i/web/status/1… | 2023-07-01 07:33:12 |
| @TheHackersNews |
⚡ URGENT — Hackers are exploiting an UNPATCHED #vulnerability (CVE-2023-3460) in Ultimate Member plugin, used by ov… twitter.com/i/web/status/1… | 2023-07-01 07:33:50 |
| @unix_root |
⚡ URGENT — Hackers are exploiting an UNPATCHED #vulnerability (CVE-2023-3460) in Ultimate Member plugin, used by ov… twitter.com/i/web/status/1… | 2023-07-01 07:34:11 |
| @Swati_THN |
⚡ URGENT — Hackers are exploiting an UNPATCHED #vulnerability (CVE-2023-3460) in Ultimate Member plugin, used by ov… twitter.com/i/web/status/1… | 2023-07-01 07:34:31 |
| @golinkco |
⚡ URGENT — Hackers are exploiting an UNPATCHED #vulnerability (CVE-2023-3460) in Ultimate Member plugin, used by ov… twitter.com/i/web/status/1… | 2023-07-01 07:38:58 |
| @jvquantum |
TheHackersNews: ⚡ URGENT — Hackers are exploiting an UNPATCHED #vulnerability (CVE-2023-3460) in Ultimate Member pl… twitter.com/i/web/status/1… | 2023-07-01 07:41:30 |
| @HackwithMalcolm |
⚡ URGENT — Hackers are exploiting an UNPATCHED #vulnerability (CVE-2023-3460) in Ultimate Member plugin, used by ov… twitter.com/i/web/status/1… | 2023-07-01 07:54:00 |
| @HunterMapping |
?Alert? CVE-2023-3460 Unpatched #WordPress Ultimate Member Flaw ?9.8? ? hunter.how/list?searchVal… Dork: "/wp-content… twitter.com/i/web/status/1… | 2023-07-01 10:00:02 |
| @HackwithMalcolm |
⚡ URGENT — Hackers are exploiting an UNPATCHED #vulnerability (CVE-2023-3460) in Ultimate Member plugin, used by ov… twitter.com/i/web/status/1… | 2023-07-01 10:14:02 |
| @MAlajab |
?اكثر من 200 الف موقع WordPress مصاب بثغرة CVE-2023-3460 من خلال اضافة Ultimate Member plugin والتي تمكن المهاجم م… twitter.com/i/web/status/1… | 2023-07-01 15:44:02 |
| @lewisevans2007 |
A critical zero-day vulnerability (CVE-2023-3460) in the popular 'Ultimate Member' WordPress plugin allows hackers… twitter.com/i/web/status/1… | 2023-07-01 17:28:11 |
| @lewisevans2007 |
Hackers are exploiting a critical zero-day privilege escalation vulnerability (CVE-2023-3460) in 'Ultimate Member'… twitter.com/i/web/status/1… | 2023-07-01 17:28:11 |
| @vuldb |
Our CTI team identified a lot of activities targeting Ultimate Member Plugin (CVE-2023-3460) vuldb.com/?ctiid.232745 | 2023-07-01 23:16:33 |
| @gikogang |
緊急 — ハッカーは、200,000 以上のWordPressサイトで使用されている Ultimate Member プラグインのパッチされていない脆弱性(CVE-2023-3460)を悪用し、秘密裏に管理者アカウントを作成してい… twitter.com/i/web/status/1… | 2023-07-02 04:41:50 |
| @MrSeifAlDan |
000 200 موقع WordPress مصاب بثغرة CVE-2023-3460 الثغره فى Ultimate Member plugin ودى بتخلى الهاكرز يعملوا privi… twitter.com/i/web/status/1… | 2023-07-02 06:11:17 |
| @thecyberneh |
CVE-2023-3460 Unpatched #WordPress Ultimate Member Flaw 9.8 Find it easily on @HunterMapping… twitter.com/i/web/status/1… | 2023-07-02 07:19:52 |
| @Reasonsecurity |
The exploited flaw tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8, impacts all versions of the Ultim… twitter.com/i/web/status/1… | 2023-07-02 08:11:22 |
| @HaboubiAnis |
? URGENT - Les pirates exploitent un plug-in UNPATCHED #vulnerability (CVE-2023-3460) dans Ultimate Member, utilisé… twitter.com/i/web/status/1… | 2023-07-02 09:34:51 |
| @fofabot |
#CVE-2023-3460 Unpatched #WordPress Ultimate Member Flaw 9.8? FOFA Query: body="/wp-content/plugins/um-user-locati… twitter.com/i/web/status/1… | 2023-07-02 13:28:24 |
| @__kokumoto |
WordPressの会員管理用プラグインUltimate Memberにおける未修正の深刻な脆弱性(CVE-2023-3460)を悪用し、密かに管理者アカウントを作成する攻撃が行われている。WPScan社報告。プラグインは利用者自… twitter.com/i/web/status/1… | 2023-07-02 23:12:44 |
| @PhishNewsMedia |
The exploited flaw, known as CVE-2023-3460, has received a 9.8 score on the CVSS v3.1 scale, indicating a critical… twitter.com/i/web/status/1… | 2023-07-03 00:30:46 |
| @ntsuji |
WordPress用プラグイン「Ultimate Member」に権限昇格の脆弱性(CVE-2023-3460)。 会員サイト構築用WPプラグインにゼロデイ攻撃 - 侵害状況の確認を(1ページ目 / 全2ページ):Securit… twitter.com/i/web/status/1… | 2023-07-03 06:58:16 |
| @cverc_cn |
? Critical Alert‼️ As many as 200,000 WordPress websites are at risk! A major security #flaw(CVE-2023-3460) in the… twitter.com/i/web/status/1… | 2023-07-03 09:15:41 |
| @Anti_Malware |
Критическая уязвимость CVE-2023-3460 в плагине Ultimate Member для WordPress позволяет добавить на сайт аккаунт с п… twitter.com/i/web/status/1… | 2023-07-03 10:17:02 |
| @Netlas_io |
CVE-2023-3460: Privilege Escalation in UltimateMember WordPress plugin, 9.8 rating! ? A vulnerability has been obs… twitter.com/i/web/status/1… | 2023-07-03 11:30:00 |
| @sistemcyber |
?Alert? CVE-2023-3460 Unpatched #WordPress Ultimate Member Flaw ?9.8? ? hunter.how/list?searchVal… Dork: "/wp-content… twitter.com/i/web/status/1… | 2023-07-03 13:03:05 |
| @CVEreport |
CVE-2023-3460 : The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user acco… twitter.com/i/web/status/1… | 2023-07-04 08:08:46 |
| @Robo_Alerts |
Potentially Critical CVE Detected! CVE-2023-3460 The Ultimate Member WordPress plugin before 2.6.7 does not prevent… twitter.com/i/web/status/1… | 2023-07-04 09:11:02 |
| @MarcVlp |
Una nueva vulnerabilidad de #0day (CVE-2023-3460) en un plugin popular de #WordPress pone en riesgo a miles de siti… twitter.com/i/web/status/1… | 2023-07-04 12:38:44 |
| @TecnocraticaCPD |
? CVE-2023-3460 Fallo en el plugin ultimate member de wordpress, permite la creación de cuentas secretas de adminis… twitter.com/i/web/status/1… | 2023-07-04 15:27:02 |
| @inthewildio |
CVE-2023-3460 is getting exploited #inthewild. Find out more at inthewild.io/vuln/CVE-2023-… | 2023-07-04 21:26:05 |
| @qualys |
#WordPress Plugin Ultimate Member Unauthenticated Privilege Escalation #Vulnerability (CVE-2023-3460) threatprotect.qualys.com/2023/07/05/wor… | 2023-07-05 15:22:53 |
| @the_pesc |
A brief summary and story about the vulnerability in Ultimate Member CVE-2023-3460 s3cur1ty.ch/posts/ultimate… #Wordpress #UltimateMember | 2023-07-05 20:21:21 |
| @motikan2010 |
既にPoCはあるようですね。(未検証) ーーー gbrsh/CVE-2023-3460: Exploit for CVE-2023-3460. Unauthorized admin access for Ultimate Memb… twitter.com/i/web/status/1… | 2023-07-06 06:06:48 |
| @amirdaly0x00 |
WordPress 插件 Ultimate Member 未授权权限提升(CVE-2023-3460) dlvr.it/SrmCBJ | 2023-07-06 10:31:03 |
| @DataSecuB |
La vulnérabilité critique CVE-2023-3460 dans le plugin Ultimate Member pour WordPress vous permet d’ajouter un comp… twitter.com/i/web/status/1… | 2023-07-06 14:16:18 |
| @cybersoochna |
cybersoochna.com/cve-2023-3460-… #CyberSecurity #Vulnerability #WordPressPlugin #SecurityBreach #WebsiteSecurity… twitter.com/i/web/status/1… | 2023-07-09 06:32:32 |
| @Prohacktiv3 |
? Surveillance des #POC (Proof Of Concept) sur @github : ? CVE-2023-32315: github.com/izzz0/CVE-2023… ? CVE-2023-3460… twitter.com/i/web/status/1… | 2023-07-10 06:41:33 |
| @TheSecMaster1 |
How to Fix CVE-2023-3460- A Privilege Escalation Vulnerability in Ultimate Member WordPress Plugin? Read Details:… twitter.com/i/web/status/1… | 2023-07-10 14:36:48 |
 /r/HackProtectSlo |
OPOZORILO: WP vtičnik Ultimate Member - CVE-2023-3460 | 2023-06-30 07:43:40 |