Vulnerability in Ultimate Member
CVE-2023-3460
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited…
EPSS: 0.930 (99.8th percentile) — read the EPSS interpretation.
Affected products
- Unknown Ultimate Member — versions 0
Public proof-of-concept exploits
References
- wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 (exploit, vdb-entry, technical-description)
- blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
Frequently asked questions
- What is CVE-2023-3460?
- CVE-2023-3460 is a vulnerability in Ultimate Member, classified under CWE-269 IMPROPER PRIVILEGE MANAGEMENT. Published 2023-07-04.
- Is CVE-2023-3460 known to be exploited?
- 26 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.