Ultimate Membership Pro < 8.6.2 - Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy

Version 8.6.1 attempted fo fix multiple critical issues (mainly lack of authorisation checks, allowing low privileges users to call the admin functions of the plugin, leading to PII disclosure and login bypasses). However, the fixes were not sufficient:

- An indeedIsAdmin() check was added to all AJAX calls for authorisation, however the calls were still missing CSRF verification. As a result, an attacker could make a logged in administrator delete users and delete coupons for example (others actions may be done).

- The export.xml filename generation was changed to $filename = md5( time() . rand(1, 10000) . 'export' ) . '.xml’; (in admin/main.php, ihc_make_export_file()). Using time() here is not random enough. It seems like the ihc_make_csv_user_list() (in utilities.php) called by the AJAX ihc_return_csv_link() (in admin/main.php) was also affected as once again a time based value was used as a random bit to generate a hashed md5 filename. Other methods may be affected as well.

- The previously generated files from ihc_return_csv_link() and ihc_make_export_file() were not deleted. Even though the newly generated files were MD5 hashed strings (of non random bit through), leaving them there increase the risk of an attacker guessing them, which would lead to PII being leaked. Furthermore, the files generated from previous version, which do not contain any random bit in their name (ie export.xml) were not deleted as well.

CSRF to delete an arbitrary user:

<html>
  <body onload="document.forms[0].submit();">
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="ihc_delete_user_via_ajax" />
      <input type="hidden" name="id" value="1" />
    </form>
  </body>
</html>