WordPress Plugin Alert – Critical SQLi Vulnerability Threatens 200K+ Websites

February 27, 2024NewsroomWebsite Security / Cryptojacking


A critical security flaw has been revealed in a popular WordPress plugin called Last Member with more than 200,000 active installations.

The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers is credited with discovering and reporting the flaw.

In an advisory published last week, WordPress security company Wordfence SAYS the plugin is “vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping of the user supplied parameter and lack of adequate preparation of the current SQL query.”

As a result, untrusted attackers can exploit the flaw to add additional SQL queries to existing queries and extract sensitive data from the database.

It’s worth noting that the issue only affects users who have checked the “Enable custom table for usermeta” option in the plugin settings.


After responsible disclosure on January 30, 2024, a fix for the bug was made available to plugin developers with the release of version 2.8.3 on February 19.

Users are advised to update the plugin to the latest version as soon as possible to reduce potential threats, especially given the fact that Wordfence has an attack has been blocked attempted to exploit the flaw in the last 24 hours.

In July 2023, another flaw in the same plugin (CVE-2023-3460, CVSS score: 9.8) was actively exploited by threat actors to create rogue admin users and control vulnerable sites.


The development comes amid a surge in a new campaign that uses compromised WordPress sites to inject crypto drainers like Angel Drainer directly or redirect visitors to the Web3 site. phishing site containing. drainers.

“These attacks use phishing tactics and malicious injections to exploit the Web3 ecosystem’s trust in direct wallet interactions, which present a significant risk to website owners and the safety of user assets,” Sucuri researcher Denis Sinegubko SAYS.

It also follows the discovery of a new drainer-as-a-service (DaaS) scheme called CG (short for CryptoGrab) that runs a 10,000-member-strong affiliate program comprised of Russian, English, and Chinese speakers.


One of the threats to actor-controlled Telegram channels “targets attackers with a Telegram bot that enables them to run their fraud operations without any third-party dependencies,” Cyfirma SAYS in a report late last month.

“The bot allows a user to get a domain for free, clone an existing template for a new domain, set the wallet address where to send the scam funds, and also provides Cloudflare protection for the new domain.”

The threat group was also observed using two custom telegram bots called SiteCloner and CloudflarePage to clone an existing, legitimate website and add Cloudflare protection to it, respectively. These pages are distributed mostly using compromised X (formerly Twitter) accounts.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment