CVE-2024-1071 WordPress Plugin Vulnerability

A worrisome security vulnerability has been exposed in the widely-used WordPress plugin known as the Ultimate Member, boasting over 200,000 active installations. This flaw, identified as CVE-2024-1071 and assigned a CVSS score of 9.8 out of 10, was brought to light by security researcher Christiaan Swiers.

According to an advisory issued to users, the vulnerability resides in versions 2.1.3 to 2.8.2 of the plugin and is associated with SQL Injection through the 'sorting' parameter. This weakness stems from inadequate getting away from the user-supplied framework and a lack of sufficient preparation on the existing SQL query. Consequently, malicious actors without authentication could exploit this flaw to inject supplementary SQL queries into pre-existing ones, leading to the extraction of sensitive data from the database.

It's important to highlight that this issue exclusively impacts users who have enabled the 'Enable custom table for usermeta' option in the plugin settings.

Users Should Update Their Plugins as Soon as Possible

Following the responsible disclosure of the critical vulnerability, the plugin developers promptly addressed the issue by releasing version 2.8.3 on February 19.

Users are strongly advised to expedite the update of the plugin to the latest version to minimize potential threats. This recommendation is particularly crucial as Wordfence has already thwarted an attack targeting the vulnerability within the last 24 hours.

Notably, this isn't the first time the plugin has faced security challenges. In July 2023, cybercriminals successfully exploited another weakness in the same plugin, identified as CVE-2023-3460. This vulnerability, also carrying a CVSS score of 9.8, was actively abused by threat actors to establish unauthorized admin users and gain control of vulnerable websites.

Cybercriminals Groups Often target WordPress

A recent campaign has seen a notable increase where compromised WordPress sites are exploited to introduce crypto drainers like the Angel Drainer directly or redirect visitors to Web3 phishing sites featuring drainers.

These attacks employ phishing strategies and malicious injections to take advantage of the Web3 ecosystem's reliance on direct wallet interactions, posing a significant threat to both website owners and the security of user assets.

This trend follows the identification of a new drainer-as-a-service (DaaS) initiative known as CG (CryptoGrab). CG operates a robust affiliate program with over 10,000 members, encompassing Russian, English, and Chinese speakers. Notably, a Telegram channel controlled by threat actors guides potential attackers to a Telegram bot, facilitating the execution of fraud operations without external dependencies.

The capabilities of this bot include obtaining a domain for free, duplicating an existing template for the new domain, specifying the wallet address for redirected funds, and providing Cloudflare protection for the newly created domain.

Furthermore, the threat group employs two custom Telegram bots named SiteCloner and CloudflarePage. SiteCloner duplicates existing legitimate websites, while CloudflarePage adds Cloudflare protection. These cloned pages are then disseminated primarily through compromised X (formerly Twitter) accounts.