Wordfence discovered and reported three highly critical vulnerabilities in the Ultimate Member plugin which is used by over 100,000 WordPress sites. Security researchers indicate more than 20,000 websites running this plugin are vulnerable to potential site takeover attacks due to the critical privilege escalation bugs.
More than 100,000 WordPress websites are at risk of site takeover attacks from critical privilege escalation vulnerabilities in one of the WordPress plugins. Discovered by the Threat Intelligence team at Wordfence, the Ultimate Member plugin has three critical bugs, two of which have the highest possible CVSS score of 10, while the third has 9.9 score.
The Ultimate Member plugin is used for user profile and membership management and delivers an improved user registration and account control on WordPress sites. With the plugin, site owners can create custom roles for members and manage site members’ privileges like site access, restriction on content, etc.
Charles Ragland, Security Engineer at Digital Shadows told ThreatpostOpens a new window , “WordPress plugins are some of the more popular attack vectors leveraged against websites. The Ultimate Member plugin is designed to provide administrators with features for user registration and account creation.â€
All three vulnerabilities are yet to be officially tracked and are privilege escalation bugs. If exploited, any basic subscriber can grant themselves administrator privileges, leading to a website takeover. A privilege escalation vulnerability can grant admin privileges to even unregistered users, with which the attacker can take over all site functionality and cause futher malware-based infections.
Let’s explore the Ultimate Member plugin bugs in detail.
1. Unauthenticated Privilege Escalation Vulnerability via User Meta
CVSS score: 10 [CRITICAL]
This privilege escalation bug can be exploited through the user meta. Ultimate Member creates three forms: user registration, user login, and user profile management by default. The exploitation of this unauthenticated vulnerability requires attackers to send across arbitrary meta keys, which can be updated in the database due to a lack of verification in the registration form. An attacker could update the user role on the website under wp-capabilities.
“This meant that an attacker simply needed to supply wp_capabilities[administrator] as part of a registration request, and that attacker would effectively update the wp_capabilities field with the administrator role. This simple request would grant administrator access upon registration,†writes Chloe ChamberlandOpens a new window , Threat Analyst for Wordfence.
See Also: Zero-Day Flaw in WordPress Plugin Leaves 1.7M Users at Risk
2. Unauthenticated Privilege Escalation via User Roles
CVSS score: 10 [CRITICAL]
The second vulnerability is also an unauthenticated privilege escalation flaw caused by the lack of filtering of role parameters that could be supplied during the registration process. Like the previous one, this vulnerability also allows an attacker to update the user role.
Here, the attacker needs to provide either a role having WordPress capabilities or any custom Ultimate Member role. Chamberland said, “An attacker could supply a specific capability and then use that to switch to another user account with elevated privileges.â€
No WordPress roles are accepted in this vulnerability, even without filtering makes it a tad safer, but not enough to reduce its CVSS score.
3. Authenticated Privilege Escalation via Profile Update
CVSS Score: 9.9 [CRITICAL]
The third vulnerability exists due to a lack of capability checks on a profile update by an authenticated user on WordPress and Ultimate Member. If an attacker has the wp-admin access to the profile.php page, they can furnish the parameter um-role with any role, including the administrator.
Ragland adds, “The third disclosed vulnerability involves gaining authenticated privilege escalation by abusing the profile update feature, where attackers can assign secondary admin roles to users without appropriate checks.â€
Measures for Mitigation
Wordfence disclosed all three vulnerabilities to the plugin’s developer on October 23. A patch for all three was released on October 29 and is available in version 2.1.12 of the Ultimate Member.
More than 80,000 websites are updated with the latest patched release of Ultimate Member, according to the download data available on the plugin details pageOpens a new window .
Ultimate Member Plugin Versions in Use
Source: WordPress
All remaining users are advised to update immediately.
Was this news helpful? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!