Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs

ArkasArkas Moderator

https://s-updigital.com/news/ultimate-member-wordpress-plugin-vulnerability/

Hackers are taking advantage of a zero-day privilege escalation vulnerability found in the widely used ‘Ultimate Member’ WordPress plugin, allowing them to bypass security measures and gain unauthorized access to websites. The plugin, which has over 200,000 active installations, is designed to facilitate user sign-ups and community building on WordPress sites.

Comments

  • tentortentor Member, Host Rep

    WordPress never changes

  • Because i've worked with this plugin. I can say - code EXTREMELY BAD. Very bad. I tired to optimize their STUPID JOIN/UNION queries. And drop the plugin, because this is some kind of bullshit. Whole plugin forum full of bugreports and reports of different issues. That is another example that "number of users" means nothing related to code quality.
    Not surprised at all. Piece of shit plugin.

  • EthernetServersEthernetServers Member, Patron Provider

    @tentor said:
    WordPress never changes

    Except, this isn't WordPress - this is a WordPress plugin.

    WordPress' core is solid.

    The problem is the plugin authors often do not care about security, but functionality. "If it works, that'll do, ship the code".

  • tentortentor Member, Host Rep
    edited July 2023

    @EthernetServers said: Except, this isn't WordPress - this is a WordPress plugin.

    I meant entire WordPress ecosystem and not specific developers or users.

  • emghemgh Member

    @tentor said:

    @EthernetServers said: Except, this isn't WordPress - this is a WordPress plugin.

    I meant entire WordPress ecosystem and not specific developers or users.

    Every software as big and open as WP will have shitty community plugins

    The only alternative is go have much higher standards for plugins and for high fees to be accepted

    As in, remake the plugin marketplace to Apple App Store

    But as long as we don't want that

    This is how it'll always be, no matter the platform

  • tentortentor Member, Host Rep
    edited July 2023

    @emgh said: Every software as big and open as WP will have shitty community plugins

    Sure, but it does not make excuse for WordPress to my opinion. Personally, if I need blog - I will stick with Hugo due to its' simplicity.

  • emghemgh Member

    @tentor said:

    @emgh said: Every software as big and open as WP will have shitty community plugins

    Sure, but it does not make excuse for WordPress to my opinion. Personally, if I need blog - I will stick with Hugo due to its' simplicity.

    I've always questioned the simplicity of these things

    They're not simple

    They're minimalistic

    Could you do what most people need with them, in a simpler way than WP, the websites for small businesses would all have been built with them, but it's always WP

    Thanked by 2BasToTheMax Baris
  • tentortentor Member, Host Rep

    @emgh said: Could you do what most people need with them

    You mean host the blog with static posts? Yes. But normies does not like this "CLI stuff" and prefer fancy editors with a lot of unnecessary JS.

  • emghemgh Member

    @tentor said:

    @emgh said: Could you do what most people need with them

    You mean host the blog with static posts? Yes. But normies does not like this "CLI stuff" and prefer fancy editors with a lot of unnecessary JS.

    What you call "CLI stuff" you're again proving it's clearly not simple

    What you call "fancy editors with a lot of unnecessary JS" is what most people call simple

    Just realize you're part of a niche community, "CLI stuff" is instantly not simple for anyone outside of it

  • tentortentor Member, Host Rep

    @emgh said: What you call "CLI stuff" you're again proving it's clearly not simple

    Well, you incorrectly understood term "simplicity". It is not simplicity for user actually, it is "as low features as required by software to be functional enough".

    @emgh said: What you call "fancy editors with a lot of unnecessary JS" is what most people call simple

    And this is what I call "bloat" :) This bloat expands attack surface and increases the complexity of the entire system. This is what helps hackers to find security issues and abuse them.

    @emgh said: Just realize you're part of a niche community

    I already realized it by separating from normies few messages above.

  • emghemgh Member

    @tentor said: Well, you incorrectly understood term "simplicity". It is not simplicity for user actually, it is "as low features as required by software to be functional enough".

    lol

    writing code in binary is super simple

  • tentortentor Member, Host Rep

    @emgh said: writing code in binary is super simple

    I have already explained you what I mean. I am not aware of more exact wording in English.

    It is funny that your last argument is quibbling.

  • @tentor said:

    @emgh said: Could you do what most people need with them

    You mean host the blog with static posts? Yes. But normies does not like this "CLI stuff" and prefer fancy editors with a lot of unnecessary JS.

    Rather than thinking about js, bloat and all, for small business, tool should make their life easy not the other way. Bye the way how do you manage search in those static site algolia?

  • tentortentor Member, Host Rep

    @sreekanth850 said: Bye the way how do you manage search in those static site algolia?

    I haven't had such task but here is example you certainly aren't aware of: https://stallman.org/site-search/index.html

  • tentortentor Member, Host Rep

    @sreekanth850 said: Rather than thinking about js, bloat and all, for small business, tool should make their life easy not the other way.

    Well, I haven't said that JS must be disabled by default at all. My point is that software must be minimalistic in its' design and solve only specific problem - thus not be a "swiss knife" universal tool combine.

    If you need website blog - you have plenty of alternatives to WordPress.
    If you need dynamic website, depending on your task you have plenty of them, including paying developer for creating own solution which does what you need exactly how you need it.

  • @tentor said:

    @sreekanth850 said: Bye the way how do you manage search in those static site algolia?

    I haven't had such task but here is example you certainly aren't aware of: https://stallman.org/site-search/index.html

    I'd never considered static site as a alternate for myself. But we do deal with search using typesense, and I'm sure its not that simple.

  • sreekanth850sreekanth850 Member
    edited July 2023

    @tentor said:

    @sreekanth850 said: Rather than thinking about js, bloat and all, for small business, tool should make their life easy not the other way.

    Well, I haven't said that JS must be disabled by default at all. My point is that software must be minimalistic in its' design and solve only specific problem - thus not be a "swiss knife" universal tool combine.

    If you need website blog - you have plenty of alternatives to WordPress.
    If you need dynamic website, depending on your task you have plenty of them, including paying developer for creating own solution which does what you need exactly how you need it.

    Agree, but even for static site search is a pain. Long back, we considered docusaurus as our documentation site, but after seeing that we should use algolia as primary search option we left it. I will say biggest issue is integrating search. Most of the hosted search solution are costly and selfhosting is a pain. I mean search solution like elastic, typesense or lucene.

  • ahnlakahnlak Member

    @sreekanth850 said:

    @tentor said:

    @sreekanth850 said: Rather than thinking about js, bloat and all, for small business, tool should make their life easy not the other way.

    Well, I haven't said that JS must be disabled by default at all. My point is that software must be minimalistic in its' design and solve only specific problem - thus not be a "swiss knife" universal tool combine.

    If you need website blog - you have plenty of alternatives to WordPress.
    If you need dynamic website, depending on your task you have plenty of them, including paying developer for creating own solution which does what you need exactly how you need it.

    Agree, but even for static site search is a pain. Long back, we considered docusaurus as our documentation site, but after seeing that we should use algolia as primary search option we left it. I will say biggest issue is integrating search. Most of the hosted search solution are costly and selfhosting is a pain. I mean search solution like elastic, typesense or lucene.

    Look at lunr; surprisingly simple to hook into a static site pipeline.

  • afnafn Member

    @desperand said: Not surprised at all. Piece of shit plugin.

    I agree the plugin is a mess, and I have always hated having to use it, but I have always had sites where the plugin was needed... did you (or anyone) find a good reliable substitute?

  • muddymuddy Member

    FYI, an update has been released (allegedly fixes issue). I had a site get bitten by this bug this week.

    Thanked by 1khadhafi1083
  • Does it mean more business and income when you get asked to patch/fix sites so this help website creators?

  • emghemgh Member

    @asterisk14 said:
    Does it mean more business and income when you get asked to patch/fix sites so this help website creators?

    No because owners don’t know until they’re actually hacked and fixing hacked websites with clueless owners and zero backups isn’t a particulary fun job

  • @afn said: I agree the plugin is a mess, and I have always hated having to use it, but I have always had sites where the plugin was needed... did you (or anyone) find a good reliable substitute?

    I've even suggested to WP about making some kind of community membership plugin with user profiles and custom fields for profiles. I.e. for making agile and very flexible websites. No one answered.

    There are a few that interested in from past:
    https://crocoblock.com/plugins/jetengine/membership/

    and

    userswp

    But i forced to stay on default WP user system, with custom login table and restricted access to some specific content. It's simplier and gives ability to use hooks & filters without any risks for upgrades at all.

    ACF/meta does not fit my needs aswell...
    The ability to build own page - require a lot of efforts too.
    I will try this month or later to purchase new license for crocoblocks, because it's looking exactly what is required.

  • asterisk14asterisk14 Banned
    edited July 2023

    @emgh said:

    @asterisk14 said:
    Does it mean more business and income when you get asked to patch/fix sites so this help website creators?

    No because owners don’t know until they’re actually hacked and fixing hacked websites with clueless owners and zero backups isn’t a particulary fun job

    But that means extra money right if building their website from scratch with no backups, can really milk the owners and gives opportunity to up sell them stuff like backups, HA, maintenance packages.

    You guys should be rejoicing

  • emghemgh Member

    @asterisk14 said:

    @emgh said:

    @asterisk14 said:
    Does it mean more business and income when you get asked to patch/fix sites so this help website creators?

    No because owners don’t know until they’re actually hacked and fixing hacked websites with clueless owners and zero backups isn’t a particulary fun job

    But that means extra money right if building their website from scratch with no backups, can really milk the owners and gives opportunity to up sell them stuff like backups, HA, maintenance packages.

    You guys should be rejoicing

    Booooooring

Sign In or Register to comment.