CVE-2024-1071: Critical SQL Injection Vulnerability in Ultimate Member Plugin Exposes WordPress Sites

The WordPress community faces a significant security challenge with the revelation of a critical vulnerability in the widely-used Ultimate Member plugin. Tracked as CVE-2024-1071, this flaw, discovered by security researcher Christiaan Swiers, poses a severe threat to WordPress sites. This article provides an overview of the technical details surrounding CVE-2024-1071, its potential consequences, and the urgent need for mitigation measures.

Technical Overview of CVE-2024-1071

1. Vulnerability Details: The flaw exists in versions 2.1.3 to 2.8.2 of the Ultimate Member plugin. It is identified as a SQL Injection vulnerability related to the ‘sorting’ parameter. Attackers exploit this weakness by injecting malicious SQL queries, utilizing inadequate escaping mechanisms and query preparation.
2. Affected Users: Users who have enabled the “Enable custom table for usermeta” option within the plugin settings are vulnerable.
3. Risk Assessment: CVE-2024-1071 carries an alarming CVSS score of 9.8 out of 10, indicating its critical nature. The vulnerability allows unauthorized threat actors to infiltrate websites, manipulate database contents, and potentially extract sensitive data.

Patch and Mitigation Measures

1. Patch Release: Plugin developers responded promptly to responsible disclosure, releasing a patch in version 2.8.3 of Ultimate Member on February 19.
2. User Action: Users are urged to update their Ultimate Member plugins to version 2.8.3 immediately. Timely updating is crucial to shield websites from potential exploitation, as evidenced by an attempted attack intercepted by Wordfence within 24 hours of vulnerability disclosure.

Broader Trend of WordPress Vulnerabilities

Persistent Threat Landscape: CVE-2024-1071 is part of an ongoing trend of vulnerabilities targeting WordPress sites. Similar incidents, such as CVE-2023-3460, have been exploited by threat actors to orchestrate malicious activities, including the creation of rogue admin users.

Emergence of New Threat Campaigns

1. Crypto Drainers Campaign: A new campaign exploits compromised WordPress sites to inject crypto drainers. Leveraging the Web3 ecosystem’s direct wallet interactions, this campaign poses risks to website owners and user assets.
2. Drainer-as-a-Service (DaaS) Schemes: Schemes like CryptoGrab (CG), operating as a large-scale affiliate program, facilitate fraudulent operations efficiently.

Conclusion

The discovery of CVE-2024-1071 underscores the persistent threats faced by WordPress sites. Users must remain vigilant, promptly update their plugins, and adopt proactive cybersecurity practices. The interconnected nature of emerging threats emphasizes the need for a holistic approach to WordPress security, combining regular updates, responsible disclosure, and user awareness to navigate the online landscape securely.