Home / Threat Intelligence bulletins / Critical zero-day vulnerability in Ultimate Member WordPress plugin

Target Industry

Indiscriminate, opportunistic targeting.


The Ultimate Member WordPress plugin, a widely used tool for facilitating user sign-ups and community building on WordPress websites, has been identified as a hotbed for a zero-day privilege escalation vulnerability. Designated as CVE-2023-3460, this vulnerability is being actively exploited by threat actors who bypass security measures and register rogue administrator accounts. With a Common Vulnerability Scoring System (CVSS) v3.1 score of 9.8, the vulnerability is deemed critical.


The exploitation of the CVE-2023-3460 vulnerability poses a significant risk to over 200,000 active installations of the Ultimate Member plugin. The attackers leverage the vulnerability to escalate privileges, registering rogue administrator accounts with full control over the compromised WordPress sites.

Vulnerability Detection

WordPress websites have a ‘Plugin’ window. View this window and look for the Ultimate Member plugin and its version. Version 2.6.7 fixes CVE-2023-3460. Versions prior to 2.6.7 are vulnerable.

Affected Products

All versions of the Ultimate Member plugin prior to 2.6.7.

Containment, Mitigations & Remediations

Given the ongoing exploitation of the vulnerability, we recommend updating the plugin as soon as possible to 2.6.7. Furthermore, delete any administrator accounts not recognised and check logs for suspicious traffic.

Threat Landscape

CVE-2023-3460 has added a new layer of complexity to the threat landscape for WordPress websites globally. The potential impact of this vulnerability is significantly high due to the wider user base of the Ultimate Member plugin which currently has over 200,000 active installations.

This vulnerability underscores the broader trend where attackers are increasingly exploiting vulnerabilities in popular third-party plugins to gain unauthorised access.

Mitre Methodologies

Privilege Escalation

T1068 – Exploitation for Privilege Escalation

Further Information

BleepingComputer article

WordPress plugin

WordPress plugins screen


An Intelligence Terminology Yardstick to showing the likelihood of events