WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

A critical unauthenticated SQL injection (CVE-2024-1071, CVSS 9.8) affecting the Ultimate Member WordPress plugin (versions 2.1.3–2.8.2) was disclosed and patched in version 2.8.3; Wordfence observed and blocked exploitation attempts. The report warns that compromised WordPress sites are being leveraged to inject or redirect visitors to Web3 crypto drainers (e.g., Angel Drainer) and details a widespread drainer-as-a-service (CryptoGrab) affiliate program and supporting Telegram bots that automate site cloning, domain setup, and Cloudflare protection, amplifying the risk to site owners and crypto users—administrators should update immediately.