Following my Thursday evening workout, I came across a concerning security alert related to the WordPress Ultimate Member Plugin. It was disheartening to hear that a security vulnerability could potentially grant unauthorized individuals access to WordPress Administrator privileges. A sigh of frustration escaped me as I absorbed this unfortunate news - like almost every day when dealing with WordPress security. But let’s go to the beginning of the story:
It wasn’t the first time this plugin had a glaring security flaw. At the end of November 2020, there was already a major security vulnerability, or rather several, in the plugin. Wordfence wrote a blog about it here. You might think, well, this is just another vulnerability and not related to CVE-2023-3460. But if you take a closer look, you realize there is a connection.
Exploit of CVE-2020-36155
With an CVSS Score 10 out of 10, this must be something interesting. Exactly the same vulnerability - Unauthenticated Privilege Escalation via User Meta.
Sending a POST to
wp_capabilities[administrator], and you’re a Wordpress Administrator.
The Ultimate Member team tried to fix it with this patch.
Now back to the current year. WPscan wrote in a blog that there is (currently - 2023-06-26) an unpatched vulnerability in the Ultimate Member plugin that allows an unauthenticated user to gain administrator privileges.
Exploit of CVE-2023-3460
Here we go:
You may think, this is the same screenshot as above. No it’s not. This time we need to have some
Sending a POST to
wp_capabilitiés[administrator], and you’re a Wordpress Administrator. Voilà.
The Ultimate Member Team needed several attempts to secure the vulnerability. It should be fixed with version 2.6.7. Thank you very much!
As you can see, a supposedly closed security vulnerability can be exploited again with little effort and has exposed around 200,000 Wordpress installations to an enormous security risk. I will add the technical details to this or another blog post as soon as I get around to it.