|CWE-269: Improper Privilege Management
Description: Ultimate Member <= 2.6.6 Privilege Escalation via Arbitrary User Meta Updates Affected Plugin: Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Plugin Slug: ultimate-member Affected Versions: <= 2.6.6 CVE ID: CVE-2023-3460 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher/s: Unknown, Marc-Alexandre Montpas Fully Patched Version: NONE The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6. This is due to the plugin using a predefined list of user meta keys that are banned which can be bypassed via a few method like adding slashes to the user meta key. This makes it possible for unauthenticated attackers to register on a site as an administrator. Vulnerable Mechanism Ultimate Member is a plugin designed to add easy registration and account management to WordPress sites. One of the features is a registration form that users can use to sign up for an account on a WordPress site running the plugin. Unfortunately, this form makes it possible for users to register and set arbitrary user meta values for their account. While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin. This makes it possible for attackers to set the wp_capabilities user meta value, which controls the users role on the site, to administrator. This grants the attacker complete access to the vulnerable site when successfully exploited. Indicators of Compromise While our attack data is limited at this point, we do have the following indicators of compromise from a separate pre-existing firewall rule that provided partial coverage for this vulnerability. We recommend running a complete Wordfence malware scan to ensure your site is not compromised if you are running Ultimate Member, and keeping an eye out for the following indicators of compromise. - The most important thing to check for is new user accounts created with administrator privileges. - We are seeing the following usernames in our attack data: - wpenginer - wpadmins - wpengine_backup - se_brutal - segs_brutal - Access log entries showing attackers hitting a compromised sites Ultimate Member registration page, which is set on the /register path by default. - Look for the following IP Addresses in a sites access logs, or in the Wordfence plugins live traffic feed. - 220.127.116.11 - 18.104.22.168 - 22.214.171.124 - 126.96.36.199 - 188.8.131.52 - The following domain has been associated with user account email addresses. - exelica[.]com - Check for plugins and themes that may not have been installed previously. If your site has been compromised by this exploit, we offer professional site cleaning services through Wordfence Care, with Wordfence Response providing an expedited turnaround time. Alternatively, if youre comfortable with doing so we provide instructions on how to clean your site using the free Wordfence plugin. Conclusion In todays PSA, we covered a Critical-severity Privilege Escalation vulnerability in Ultimate Member that is being actively exploited. The vulnerability remains unpatched and can quickly allow unauthenticated users to automatically take over any site with the plugin installed. This means that all 200,000 installations are currently at risk. We recommend verifying that this plugin is not installed on your site until a patch is made available, and forwarding this advisory to anyone you know who manages a WordPress website. While the firewall rule we released today should protect Wordfence Premium, Wordfence Care, and Wordfence Response users from site takeover, the Ultimate Member plugin contains additional functionality that is impractical to block which could potentially be abused by a sophisticated attacker in combination with vulnerabilities in other software. As such we recommend uninstalling the plugin even if you are protected by our firewall rule, as it minimizes but does not fully eliminate the risk presented by this vulnerability. For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard. Special thank you to Ramuel Gall, Wordfence Senior Security Researcher, and Istvn Mrton, Wordfence Vulnerability Researcher, for their assistance reverse engineering this vulnerability and for contributing to this post!
Copyright ©2024 Exploitalert.