KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2023-3460

PUBLISHED

Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation

PoC available Remote Low complexity No user interaction
Vendor
Unknown
Product
Ultimate Member
Published
Jul 04, 2023
EPSS

Description

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

wordpress windows nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Proof of concept available

Recorded 2023-07-05 13:44:50 UTC · Source

SSVC decision points

Exploitation
poc
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CVE Jul 04, 2023

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-3460.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

Rajneeshkarya/CVE-2023-3460

github · Created 2023-07-27 15:19:16 UTC · 1 stars

Exploit for the vulnerability of Ultimate Member Plugin.

diego-tella/CVE-2023-3460

github · Created 2023-07-11 20:15:20 UTC · 6 stars

Exploit and scanner for CVE-2023-3460

yon3zu/Mass-CVE-2023-3460

github · Created 2023-07-09 16:46:17 UTC · 0 stars

Mass CVE-2023-3460.

rizqimaulanaa/CVE-2023-3460

github · Created 2023-07-07 12:40:37 UTC · 0 stars

gbrsh/CVE-2023-3460

github · Created 2023-07-05 13:44:50 UTC · 34 stars

Exploit for CVE-2023-3460. Unauthorized admin access for Ultimate Member plugin < v2.6.7

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Nuclei