Ultimate Member Plugin for WordPress Allows Site Takeover

  • 3 critical security bugs allow for easy privilege escalation to an administrator role.

    A WordPress plugin put in on far more than 100,000 web pages has three critical security bugs that each individual allow privilege escalation – and perhaps whole regulate in excess of a target WordPress web page.

    The plugin, identified as Supreme Member, permits web admins to incorporate consumer profiles and membership regions to their web places. In accordance to Wordfence scientists, the flaws make it achievable for both authenticated and unauthenticated attackers to escalate their privileges for the duration of registration, to achieve the standing of an administrator.

    “Once an attacker has administrative accessibility to a WordPress website, they have proficiently taken above the entire website and can carry out any action, from having the website offline to additional infecting the web page with malware,” Wordfence researchers thorough in a submitting on Monday.

    “WordPress plugins are some of the more well-known attack vectors leveraged versus web-sites,” Charles Ragland, security engineer at Digital Shadows, advised Threatpost in an overview of the issues. “The Supreme Member plugin is designed to provide administrators with options for consumer registration and account creation. The disclosed vulnerabilities involved unauthenticated privilege escalation by sending arbitrary data in the person meta keys all through registration or supplying an incorrect part parameter uncovered by a deficiency of consumer input filtering. The third disclosed vulnerability involves getting authenticated privilege escalation by abusing the profile update function, the place attackers can assign secondary admin roles to consumers without correct checks.”

    Bug Specifics

    The very first flaw (CVEs are pending) carries a 10-out-of-10 rating on the CvSS scale. It exists in the way consumer-registration sorts perform checks on submitted user details unauthenticated attackers can offer arbitrary person meta keys during the registration system that influence how their roles are assigned.

    “This intended that an attacker could offer an array parameter for delicate metadata, these types of as the wp_abilities consumer meta, which defines a user’s purpose,” Wordfence scientists explained. “During the registration approach, submitted registration details had been handed to the update_profile functionality, and any respective metadata that was submitted, irrespective of what was submitted, would be updated for that freshly registered person.”

    This implies that an attacker can just offer “wp_abilities[administrator]” as element of a registration request, which would give he or she an administrator part.

    A second, relevant bug (also critical, with a 10 out of 10 ranking on the severity scale) occurs from a absence of filtering on the job parameter that could be equipped through the registration procedure.

    “An attacker could supply the part parameter with a WordPress functionality or any customized Final Member function and effectively be granted those people privileges,” according to Wordfence. “After updating the person meta, the plugin checked if the role parameter was provided. If so, a several checks were being processed to validate the purpose staying provided.”

    To exploit this, attackers could enumerate any Top Member purpose and supply a bigger-privileged part although registering in the position parameter, in accordance to Wordfence. Or, an attacker could offer a unique capability, in advance of switching to a different person account with elevated privileges.

    “In either circumstance, if wp-admin access was enabled for that user or part, then this vulnerability could be utilized in conjunction with the ultimate vulnerability,” scientists stated.

    That final, 3rd bug is a critical-rated authenticated privilege-escalation issue that ranks 9.9 out of 10 on the severity scale. It exists owing to a absence of functionality checks on the Profile Update perform of the plugin, scientists explained.

    “Due to the point that Greatest Member permitted the generation of new roles, this plugin also manufactured it attainable for web site administrators to grant secondary Supreme Member roles for all end users,” they defined. “This was supposed to allow for a consumer to have default privileges for a created-in job, these as editor, but also have further secondary privileges to lengthen abilities of a membership site employing Ultimate Member.”

    Anytime a user’s profile is updated, the Profile Update operate operates, which in turn updates the Ultimate Member position for any given user.

    “This functionality utilized is_admin() on your own without having a ability check, generating it doable for any consumer to source the um-purpose put up area and established their job to 1 of their picking,” in accordance to Wordfence. “This meant that any user with wp-admin access to the profile.php website page, irrespective of whether explicitly allowed or through another vulnerability used to attain that access, could offer the parameter um-function with a benefit established to any role like `administrator` throughout a profile update and efficiently escalate their privileges to these of that role.”

    All a few bugs enable attackers to escalate their privileges with quite minimal difficulty, and from there perform any undertaking on influenced web sites.

    “These are critical and extreme vulnerabilities that are quick to exploit,” according to Wordfence scientists. “Therefore, we very propose updating to the patched model, 2.1.12, straight away.”

    WordPress Plugins on Security Parade

    Plugins are a regular attack vector for cyberattackers taking intention at sites.

    Previous 7 days, a security vulnerability in the Welcart e-Commerce plugin was uncovered to open up up sites to code injection. This can direct to payment skimmers getting installed, crashing of the website or facts retrieval by using SQL injection, scientists claimed.

    In Oct, two superior-severity vulnerabilities ended up disclosed in Post Grid, a WordPress plugin with more than 60,000 installations, which open the door to internet site takeovers. And in September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was observed to affect more than 100,000 WordPress websites.

    Earlier, in August, a plugin that is developed to include quizzes and surveys to WordPress sites patched two critical vulnerabilities. The flaws could be exploited by distant, unauthenticated attackers to start different assaults – together with fully having in excess of vulnerable web sites. Also in August, Newsletter, a WordPress plugin with far more than 300,000 installations, was uncovered to have a pair of vulnerabilities that could lead to code-execution and even web site takeover.

    And, researchers in July warned of a critical vulnerability in a WordPress plugin named Reviews – wpDiscuz, which is mounted on far more than 70,000 internet sites. The flaw gave unauthenticated attackers the capacity to upload arbitrary files (including PHP data files) and in the long run execute remote code on susceptible web-site servers.

    Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are obtaining hammered by ransomware assaults in 2020. Save your spot for this No cost webinar on healthcare cybersecurity priorities and hear from main security voices on how facts security, ransomware and patching have to have to be a priority for every single sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, confined-engagement webinar.