s3cur1ty blog

Ultimate Member - CVE-2023-3460 and the story behind

· Pascal Christen

Start

Following my Thursday evening workout, I came across a concerning security alert related to the WordPress Ultimate Member Plugin. It was disheartening to hear that a security vulnerability could potentially grant unauthorized individuals access to WordPress Administrator privileges. A sigh of frustration escaped me as I absorbed this unfortunate news - like almost every day when dealing with WordPress security. But let’s go to the beginning of the story:

2020

It wasn’t the first time this plugin had a glaring security flaw. At the end of November 2020, there was already a major security vulnerability, or rather several, in the plugin. Wordfence wrote a blog about it here. You might think, well, this is just another vulnerability and not related to CVE-2023-3460. But if you take a closer look, you realize there is a connection.

Exploit of CVE-2020-36155

With an CVSS Score 10 out of 10, this must be something interesting. Exactly the same vulnerability - Unauthenticated Privilege Escalation via User Meta. CVE-2020-36155

Sending a POST to /register with wp_capabilities[administrator], and you’re a Wordpress Administrator.

Fix

The Ultimate Member team tried to fix it with this patch.

2023

Now back to the current year. WPscan wrote in a blog that there is (currently - 2023-06-26) an unpatched vulnerability in the Ultimate Member plugin that allows an unauthenticated user to gain administrator privileges.

Exploit of CVE-2023-3460

Here we go: CVE-2023-3460

You may think, this is the same screenshot as above. No it’s not. This time we need to have some éèà... characters.

Sending a POST to /register with wp_capabilitiés[administrator], and you’re a Wordpress Administrator. Voilà.

Fix

The Ultimate Member Team needed several attempts to secure the vulnerability. It should be fixed with version 2.6.7. Thank you very much!

Conclusion

As you can see, a supposedly closed security vulnerability can be exploited again with little effort and has exposed around 200,000 Wordpress installations to an enormous security risk. I will add the technical details to this or another blog post as soon as I get around to it.

Happy updating!