Wordfence’s Threat Intelligence team disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site.
Ultimate Member is an extensible WordPress plugin with more than 100,000 active installations and is designed to make the task of profile and membership management easier.
Ultimate Member is a popular plugin designed to enhance user registration and account control on WordPress sites. It allows site owners to create custom roles and manage the privileges of site members. As part of its functionality, the plugin automatically creates three forms: user registration, user login, and user profile management.
Wordfence discovered that the user registration form lacked some checks on submitted user data. This oversight made it possible for an attacker to supply arbitrary user meta keys during the registration process that would update those meta keys in the database.
This meant that an attacker could supply an array parameter for sensitive meta data such as the wp_capabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the update_profile function, and any respective metadata that was submitted, regardless of what was submitted, would be updated for that newly registered user.
This meant that an attacker simply needed to supply wp_capabilities[administrator] as part of a registration request, and that attacker would effectively update the wp_capabilities field with the administrator role. This simple request would grant administrator access upon registration.
This vulnerability is considered very critical as it makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator. Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware.
Fortunately, the plugin blocked default WordPress roles from being supplied in the role parameter making it more difficult for attackers to be able to exploit this vulnerability to gain escalated privileges. In addition, if the role selector was enabled for the registration form, then only the roles specified by the site administrator could be selected and supplied during registration.
Attackers could enumerate the current custom Ultimate Members roles and supply a higher privileged role while registering in the role parameter. Or, an attacker could supply a specific capability and then use that to switch to another user account with elevated privileges. In either case, if wp-admin access was enabled for that user or role, then this vulnerability could be used in conjunction with the final vulnerability detailed below.
Again, this vulnerability is considered critical as it allows originally unauthenticated users to escalate their privileges with some conditions. Once an attacker has elevated access to a WordPress site, they can potentially take over the entire and further infect the site with malware.
This final vulnerability was introduced due to a lack of capability checks on a profile update. Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users.
This was intended to allow a user to have default privileges for a built-in role, such as editor, but also have additional secondary privileges to extend capabilities of a membership site using Ultimate Member. The plugin uses a function, profile_update which runs whenever a user’s profile is updated to update the Ultimate Member role for any given user.
This function used is_admin() alone without a capability check, making it possible for any user to supply the um-role post field and set their role to one of their choosing.
This meant that any user with wp-admin access to the profile.php page, whether explicitly allowed or via another vulnerability used to gain that access, could supply the parameter um-role with a value set to any role including `administrator` during a profile update and effectively escalate their privileges to those of that role.
As with the previous vulnerabilities outlined above, this vulnerability is considered critical as it makes it possible for authenticated users to escalate their privileges with very little difficulty. Once an attacker has administrator privileges on a WordPress site, they have effectively taken over the entire site.
