Platform
wordpress
Component
indeed-membership-pro
Opgelost in
12.6.1
CVE-2024-43240 describes a Privilege Escalation vulnerability within the azzaroco Ultimate Membership Pro WordPress plugin. This flaw allows attackers to elevate their privileges, potentially gaining administrative control over the affected WordPress site. The vulnerability impacts versions up to 12.6, and a patch is available in version 12.6.1.
The Privilege Escalation vulnerability in Ultimate Membership Pro poses a significant risk. A successful exploit allows an attacker to bypass standard access controls and assume the role of an administrator. This grants them complete control over the WordPress site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial details), and even deface the website. The blast radius extends to all data and functionality managed within the WordPress installation. The impact is amplified if the site handles sensitive user data or processes financial transactions.
CVE-2024-43240 was publicly disclosed on 2024-08-19. Currently, there are no publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Security researchers are actively analyzing the vulnerability, and the potential for exploitation remains high given the ease of WordPress site compromise.
WordPress sites utilizing the Ultimate Membership Pro plugin, particularly those running versions prior to 12.6.1, are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to lateral movement and compromise of other sites on the same server.
• wordpress / composer / npm:
wp plugin list | grep Ultimate Membership Pro• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r 'azzaroco Ultimate Membership Pro' /var/log/apache2/access.log• wordpress / composer / npm:
wp option get membership_settingsdisclosure
patch
kev
Exploit Status
EPSS
0.57% (68% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-43240 is to immediately upgrade Ultimate Membership Pro to version 12.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the membership plugin's administrative features. While not a complete solution, implementing strict user role permissions and regularly auditing user activity can help limit the potential damage. Monitor WordPress access logs for suspicious activity, particularly attempts to access administrative functions without proper authentication.
Actualice el plugin Indeed Ultimate Membership Pro a la última versión disponible. La vulnerabilidad de escalada de privilegios permite a usuarios no autenticados obtener acceso no autorizado. La actualización corrige esta vulnerabilidad y protege su sitio web.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-43240 is a critical vulnerability in Ultimate Membership Pro allowing attackers to gain elevated privileges, potentially compromising the entire WordPress site. It affects versions up to 12.6.
Yes, if you are using Ultimate Membership Pro version 12.6 or earlier, you are vulnerable to this Privilege Escalation exploit.
Upgrade Ultimate Membership Pro to version 12.6.1 or later to resolve the vulnerability. If immediate upgrade is not possible, restrict access to administrative features.
While no public exploits are currently available, the vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation.
Refer to the official Ultimate Membership Pro website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.