Ultimate Member Plugin for WordPress Allows Site Takeover

2020-11-09 19:13

"The Ultimate Member plugin is designed to provide administrators with features for user registration and account creation. The disclosed vulnerabilities included unauthenticated privilege escalation by sending arbitrary data in the user meta keys during registration or supplying an incorrect role parameter exposed by a lack of user input filtering. The third disclosed vulnerability involves gaining authenticated privilege escalation by abusing the profile update feature, where attackers can assign secondary admin roles to users without appropriate checks."

"An attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges," according to Wordfence.

To exploit this, attackers could enumerate any Ultimate Member role and supply a higher-privileged role while registering in the role parameter, according to Wordfence.

"Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users," they explained.

Whenever a user's profile is updated, the Profile Update function runs, which in turn updates the Ultimate Member role for any given user.

News URL

https://threatpost.com/ultimate-member-plugin-wordpress-site-takeover/161053/

#takeover #wordpress

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Wordpress		7	2	95	44	18	159
Plugin		2	0	13	1	0	14