CVE-2023-3460

CRITICAL EXPLOITED IN THE WILD NUCLEI LAB

Ultimate Member <2.6.7 - Privilege Escalation

Title source: llm

Description

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

Exploits (12)

exploitdb WORKING POC
by Gurjot Singh · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52393
nomisec WORKING POC 35 stars
by gbrsh · remote
https://github.com/gbrsh/CVE-2023-3460
nomisec WORKING POC 7 stars
by diego-tella · client-side
https://github.com/diego-tella/CVE-2023-3460
github WORKING POC 3 stars
by certuscyber · pythonpoc
https://github.com/certuscyber/cve-pocs/tree/main/CVE-2023-3460
nomisec WORKING POC 1 stars
by GURJOTEXPERT · remote
https://github.com/GURJOTEXPERT/CVE-2023-3460
nomisec WORKING POC 1 stars
by Rajneeshkarya · remote
https://github.com/Rajneeshkarya/CVE-2023-3460
nomisec WORKING POC
by TranKuBao · poc
https://github.com/TranKuBao/CVE-2023-3460_FIX
nomisec WRITEUP
by julienbrs · remote
https://github.com/julienbrs/exploit-CVE-2023-3460
nomisec WORKING POC
by DiMarcoSK · poc
https://github.com/DiMarcoSK/CVE-2023-3460_POC
nomisec WRITEUP
by EmadYaY · poc
https://github.com/EmadYaY/CVE-2023-3460
nomisec WORKING POC
by yon3zu · client-side
https://github.com/yon3zu/Mass-CVE-2023-3460
nomisec WORKING POC
by rizqimaulanaa · client-side
https://github.com/rizqimaulanaa/CVE-2023-3460

Nuclei Templates (1)

Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
CRITICALVERIFIEDby DhiyaneshDk
Shodan: http.html:/wp-content/plugins/ultimate-member
FOFA: body=/wp-content/plugins/ultimate-member

Scores

CVSS v3 9.8
EPSS 0.9281
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2023-06-29
InTheWild.io 2023-07-04
Status published
Products (1)
ultimatemember/ultimate_member < 2.6.7
Published Jul 04, 2023
Tracked Since Feb 18, 2026