On Oct 23, 2020, our Danger Intelligence team responsibly revealed several vulnerabilities in Ultimate Member , a WordPress plugin attached to over 100, 000 websites. These flaws made it feasible for attackers to escalate their own privileges to those of an manager and take over a Wp site.

All of us initially reached out to the plugin’s developer on October twenty three, 2020. After establishing a suitable communication channel, we offered the full disclosure details on March 26, 2020. The programmer provided us with a duplicate of the first intended plot on October 26, 2020 for us to test. We verified the patch fixed among the vulnerabilities, however , two nevertheless remained. On October twenty nine, 2020, the plugin’s creator provided us with an up-to-date copy which fully resolved all vulnerabilities. The plugin’s developer released a patched version of Ultimate Associate, 2 . 1 . 12, upon October 29, 2020.

These are critical plus severe vulnerabilities that are simple to exploit. Therefore , we highly recommend updating towards the patched version, 2 . one 12, immediately.

Wordfence Premium customers received a firewall guideline to protect against any exploits focusing on these vulnerabilities on August 23, 2020. Sites continue to using the free version associated with Wordfence will receive the same safety on November 22, 2020.

Unauthenticated Privilege Escalation via User Meta

Description: Privilege Escalation
Affected Plugin: Ultimate Member
Plugin Slug: ultimate-member
Affected Versions: < = 2 . 1 ) 11
CVE ID: Impending
CVSS Rating: 10. 0 (CRITICAL)
CVSS Vector: CVSS: 3. 1/AV: N/AC: L/PR: N/UI: N/S: C/C: H/I: H/A: They would
Completely Patched Version: 2 . 1 . 12

Ultimate Member is a superb plugin designed to enhance consumer registration and account manage on WordPress sites. This allows site owners to create customized roles and manage the particular privileges of site users. As part of its functionality, typically the plugin automatically creates 3 forms: user registration, customer login, and user profile administration.

We found that the user registration form was missing some checks on posted user data. This oversight made it possible for an opponent to supply arbitrary user traguardo keys during the registration procedure that would update those coto keys in the database. This particular meant that an attacker can supply an array parameter with regard to sensitive meta data like the wp_capabilities user meta which identifies a user’s role. Throughout the registration process, submitted sign up details were passed for the update_profile function, and any particular metadata that was submitted, no matter what was submitted, would be up to date for that newly registered end user.

 do_action( 'um_before_save_registration_details', $this-> id, $submitted ); update_user_meta( $this-> id, 'submitted', $submitted ); $this-> update_profile( $submitted ); 
 function update_profile( $changes ) $args ['ID'] = $this->id; 
 $changes = apply_filters( 'um_before_update_profile', $changes, $args ['ID'] ); foreach ( $changes as $key => $value ) if ( ! in_array( $key, $this->update_user_keys ) ) if ( $value === 0 ) update_user_meta( $this->id, $key, '0' ); else update_user_meta( $this->id, $key, $value ); else $args [ $key ] = esc_attr( $changes [ $key ] ); 

This meant that an attacker simply needed to supply wp_capabilities [administrator] as part of a registration request, and that attacker would effectively update the wp_capabilities  field with the administrator role. This simple request would grant administrator access upon registration.

This vulnerability is considered very critical as it makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator. Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware.

Unauthenticated Privilege Escalation via User Roles

Description: Privilege Escalation
Affected Plugin: Ultimate Member
Plugin Slug: ultimate-member
Affected Versions: <= 2.1.11
CVE ID: Pending.
CVSS Score: 10.0 (CRITICAL)
Fully Patched Version: 2.1.12

This vulnerability is related to the previously detailed vulnerability. Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges. After updating the user meta, the plugin checked if the role parameter was supplied. If so, a few checks were processed to verify the role being supplied.

 // update user if ( count( $args ) > 1 ) //if isset roles argument validate role to properly for security reasons if ( isset( $args ['role'] ) ) global $wp_roles; $um_roles = get_option( 'um_roles' ); if ( ! empty( $um_roles ) ) $role_keys = array_map( function( $item ) return 'um_' . $item; , get_option( 'um_roles' ) ); else $role_keys = array(); $exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) ); if ( in_array( $args ['role'] , $exclude_roles ) ) unset( $args ['role'] ); wp_update_user( $args ); 

Luckily, the plugin blocked default WordPress roles from being supplied in the role parameter making it more difficult for attackers to be able to exploit this vulnerability to gain escalated privileges. In addition , if the role selector was enabled for the registration form, then only the roles specified by the site administrator could be selected and supplied during registration.

However , it did not stop custom Ultimate Member roles from being supplied or individual WordPress capabilities ahead of updating the user role. Consequently , despite the initial protections, an attacker could still easily gain elevated privileges.

Attackers could enumerate the current custom Ultimate Members roles and supply a higher privileged role while registering in the role parameter. Or, an attacker could supply a specific capability and then use that to switch to another user account with elevated privileges. In either case, if wp-admin access was enabled for that user or role, then this vulnerability could be found in conjunction with the final vulnerability detailed below.

Again, this vulnerability is known as critical as it allows initially unauthenticated users to elevate their privileges with some problems. Once an attacker offers elevated access to a Blogger site, they can potentially dominate the entire and further infect the website with malware.

Verified Privilege Escalation via User profile Update

Description: Opportunity Escalation
Impacted Plugin: Best Member
WordPress plugin Slug: ultimate-member
Affected Variations: < sama dengan 2 . 1 . 11
CVE ID: Pending.
CVSS Score: 9. 9 (CRITICAL)
CVSS Vector: CVSS: 3. 1/AV: N/AC: L/PR: L/UI: N/S: C/C: H/I: H/A: H
Fully Patched Edition: 2 . – 12

This specific final vulnerability was launched due to a lack of capability inspections on a profile update. Because Ultimate Member allowed this creation of new roles, this particular plugin also made it easy for site administrators to give secondary Ultimate Member functions for all users. This was meant to allow a user to have arrears privileges for a built-in part, such as editor, but also possess additional secondary privileges to increase capabilities of a membership web site using Ultimate Member. The particular plugin uses a function, profile_update which runs whenever a user’s profile is updated in order to update the Ultimate Member function for any given user. This kind of function used is_admin() by yourself without a capability check, allowing for any user to supply the um-role post field and set their job to one of their choosing.

 function profile_update( $user_id, $old_data ) // Bail if no user ID was passed if ( empty( $user_id ) ) return; $old_roles = $old_data->roles; $userdata = get_userdata( $user_id ); $new_roles = $userdata->roles; if ( is_admin() ) if ( ! empty( $_POST ['um-role'] ) ) $new_roles = array_merge( $new_roles, array( $_POST ['um-role'] ) ); if ( ! user_can( $user_id, $_POST ['um-role'] ) ) UM()->roles()->set_role( $user_id, $_POST ['um-role'] ); } 

That meant that any user with wp-admin access to the profile. php page, whether explicitly permitted or via another weeknesses used to gain that access, may supply the parameter um-role having a value set to any position including `administrator` during a user profile update and effectively turn their privileges to those of this role.

Just like the previous vulnerabilities outlined over, this vulnerability is considered crucial as it makes it possible for authenticated consumers to escalate their liberties with very little difficulty. As soon as an attacker has officer privileges on a WordPress internet site, they have effectively taken over the whole site.

Disclosure Schedule

  • October 19-23, 2020 : Initial finding of one vulnerability and further analysis of the plugin which leads to be able to discovery of two a lot more vulnerabilities.
  • October 23, 2020 – We create a firewall rule to protect Wordfence customers and release this to Wordfence Premium people. We initiate contact with often the plugin’s developer.
  • October 26, 2020 – Typically the plugin’s developer confirms your inbox for handling conversation. We send full disclosure.
  • October twenty six, 2020 – The plugin’s developer verifies the vulnerability and provides all of us with a patched copy for you to verify the fixes. We all inform them that some defects still exist.
  • October 29, 2020 ~ The plugin’s developer provides us using a second patched copy to help verify the additional fixes. Many of us verify that all has been patched.
  • April 29, 2020 – The patch will be released in version 2 . one 12.
  • November 22, 2020 , Free Wordfence users receive firewall principle.


In the present submit, we detailed several essential privilege escalation flaws within Ultimate Member that given attackers the ability to escalate their particular privileges in various different ways. These types of flaws have been fully patched in version 2 . 1 ) 12. We recommend that end users immediately update to the newest version available, which is version second . 1 . 12 at the time of this specific publication.

Wordfence Premium users received firewall guidelines protecting against these vulnerabilities about October 23, 2020, whilst those still using the totally free version of Wordfence should receive the same protection on Nov 22, 2020.

If you know a friend or friend who is using this plugin on the site, we highly recommend forwarding this advisory to them to keep their sites protected as they are high severity weaknesses that are trivial to exploit.

The article Critical Privilege Escalation Weaknesses Affect 100K Sites Making use of Ultimate Member Plugin appeared first in Wordfence .

Read More at the Source