WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ultimate Membership Pro < 8.6.2 - Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy

Description

Version 8.6.1 attempted fo fix multiple critical issues (mainly lack of authorisation checks, allowing low privileges users to call the admin functions of the plugin, leading to PII disclosure and login bypasses). However, the fixes were not sufficient:

- An indeedIsAdmin() check was added to all AJAX calls for authorisation, however the calls were still missing CSRF verification. As a result, an attacker could make a logged in administrator delete users and delete coupons for example (others actions may be done).

- The export.xml filename generation was changed to $filename = md5( time() . rand(1, 10000) . 'export' ) . '.xml’; (in admin/main.php, ihc_make_export_file()). Using time() here is not random enough. It seems like the ihc_make_csv_user_list() (in utilities.php) called by the AJAX ihc_return_csv_link() (in admin/main.php) was also affected as once again a time based value was used as a random bit to generate a hashed md5 filename. Other methods may be affected as well.

- The previously generated files from ihc_return_csv_link() and ihc_make_export_file() were not deleted. Even though the newly generated files were MD5 hashed strings (of non random bit through), leaving them there increase the risk of an attacker guessing them, which would lead to PII being leaked. Furthermore, the files generated from previous version, which do not contain any random bit in their name (ie export.xml) were not deleted as well.

Proof of Concept

CSRF to delete an arbitrary user:

<html>
  <body onload="document.forms[0].submit();">
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="ihc_delete_user_via_ajax" />
      <input type="hidden" name="id" value="1" />
    </form>
  </body>
</html> 

Affects Plugins

indeed-membership-pro
Fixed in version 8.6.2

References

URL
https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
URL
https://blog.wpscan.com/wpvulndb/report/2020/03/06/ultimate-membership-pro-recent-vulnerabilities-breakdown.html

Classification

Type

MULTI

Miscellaneous

Original Researcher

ErwanLR

Submitter website
https://wpscan.org
Submitter twitter
erwan_lr
Verified

Yes

WPVDB ID
33b9558a-7776-4888-8f70-952358dfe17d

Timeline

Publicly Published

2020-02-24 (about 2 years ago)

Added

2020-02-24 (about 2 years ago)

Last Updated

2020-03-07 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us