s3cur1ty blog

Ultimate Member - CVE-2023-3460 and the story behind

· Pascal Christen


Following my Thursday evening workout, I came across a concerning security alert related to the WordPress Ultimate Member Plugin. It was disheartening to hear that a security vulnerability could potentially grant unauthorized individuals access to WordPress Administrator privileges. A sigh of frustration escaped me as I absorbed this unfortunate news - like almost every day when dealing with WordPress security. But let’s go to the beginning of the story:


It wasn’t the first time this plugin had a glaring security flaw. At the end of November 2020, there was already a major security vulnerability, or rather several, in the plugin. Wordfence wrote a blog about it here. You might think, well, this is just another vulnerability and not related to CVE-2023-3460. But if you take a closer look, you realize there is a connection.

Exploit of CVE-2020-36155

With an CVSS Score 10 out of 10, this must be something interesting. Exactly the same vulnerability - Unauthenticated Privilege Escalation via User Meta. CVE-2020-36155

Sending a POST to /register with wp_capabilities[administrator], and you’re a Wordpress Administrator.


The Ultimate Member team tried to fix it with this patch.


Now back to the current year. WPscan wrote in a blog that there is (currently - 2023-06-26) an unpatched vulnerability in the Ultimate Member plugin that allows an unauthenticated user to gain administrator privileges.

Exploit of CVE-2023-3460

Here we go: CVE-2023-3460

You may think, this is the same screenshot as above. No it’s not. This time we need to have some éèà... characters.

Sending a POST to /register with wp_capabilitiés[administrator], and you’re a Wordpress Administrator. Voilà.


The Ultimate Member Team needed several attempts to secure the vulnerability. It should be fixed with version 2.6.7. Thank you very much!


As you can see, a supposedly closed security vulnerability can be exploited again with little effort and has exposed around 200,000 Wordpress installations to an enormous security risk. I will add the technical details to this or another blog post as soon as I get around to it.

Happy updating!