{"id":"CVE-2023-3460","details":"The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.","modified":"2026-04-11T12:45:19.764912Z","published":"2023-07-04T08:15:10.573Z","database_specific":{},"references":[{"type":"ADVISORY","url":"https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/"},{"type":"FIX","url":"https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ultimatemember/ultimatemember","events":[{"introduced":"0"},{"fixed":"0b05d05518492c35f522c077b01dbfa52176adeb"}],"database_specific":{"cpe":"cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.6.7"}],"source":"CPE_FIELD"}}],"versions":["1.3.48","1.3.59","1.3.88","1.3.88.4","1.3.88.5","1.3.88.6","2.0.10","2.0.11","2.0.16","2.0.17","2.0.24","2.0.34","2.0.35","2.0.37","2.0.38","2.0.39","2.0.4","2.0.41","2.0.43","2.0.44","2.0.45","2.0.46","2.0.47","2.0.48","2.0.49","2.0.5","2.0.50","2.0.53","2.0.54","2.0.9","2.1.0","2.1.0-rc.1","2.1.0-rc.2","2.1.1","2.1.10","2.1.11","2.1.12","2.1.13","2.1.14","2.1.15","2.1.16","2.1.17","2.1.18","2.1.19","2.1.2","2.1.2-rc.1","2.1.20","2.1.3","2.1.3-rc.1","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.4.2","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","pre-v1.3.50","pre-v1.3.69.16","pre-v1.3.69.17","pre-v1.3.69.18","pre-v1.3.69.19","pre-v1.3.69.20","pre-v1.3.69.21","pre-v1.3.69.22","pre-v1.3.69.23","pre-v1.3.69.24","pre-v1.3.69.25","v1.3.29","v1.3.30","v1.3.32","v1.3.35","v1.3.36","v1.3.37","v1.3.38","v1.3.39","v1.3.40","v1.3.41","v1.3.42","v1.3.43","v1.3.44","v1.3.45","v1.3.47","v1.3.49","v1.3.51","v1.3.52","v1.3.53","v1.3.54","v1.3.55","v1.3.56","v1.3.60","v1.3.61","v1.3.62","v1.3.63","v1.3.64","v1.3.65","v1.3.66","v1.3.67","v1.3.68","v1.3.69","v1.3.71","v1.3.72","v1.3.73","v1.3.74","v1.3.75","v1.3.76","v1.3.78","v1.3.79","v1.3.81","v1.3.82","v1.3.83","v1.3.84","v1.3.88.1","v1.3.88.2","v1.3.88.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-3460.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}