Critical privilege escalation bugs squashed in WordPress Ultimate Member plugin

The vulnerabilities impacted roughly 100,000 websites.

Why old cybersecurity vulnerabilities are still a big problem

Critical privilege escalation vulnerabilities have been patched in the popular WordPress plugin Ultimate Member.

Accounting for over 100,000 active installations on websites that use the WordPress content management system (CMS), Ultimate Member allows webmasters to offer membership, sign-ups, and member profile functionality. 

Also: Best web hosting services

According to a report published on Monday by the Wordfence security team, the plugin contained three vulnerabilities that could be used in privilege escalation attacks, allowing threat actors to escalate their account rights to administrator levels and potentially hijack entire websites. 

The bugs were found in version 2.1.11 and below of the plugin. CVE IDs are pending for each security flaw. 

The first bug -- assigned a CVSS score of 10.0, the highest possible -- was found in the user registration form process of the plugin, as a lack of checks on some user-input data allowed attackers to submit arbitrary user meta keys during the registration process. 

See also: WordPress plugin vulnerability can be exploited for total website takeover

These keys would then update database information, including the parameters used to define a user's role -- and privileges. 

"This meant that an attacker simply needed to supply wp_capabilities[administrator] as part of a registration request, and that attacker would effectively update the wp_capabilities field with the administrator role," Wordfence says. 

The second vulnerability discovered by the security team, also granted a CVSS score of 10.0, was found in the same function. A lack of filtering could lead to attackers "supplying [themselves] a role parameter," Wordfence explained, and while default WordPress roles were blocked, this could be circumvented by supplying custom Ultimate Member roles instead. 

When registering a role parameter, attackers could assign themselves high privilege roles, and if wp-admin access is enabled for a particular user or role, then the third and final bug comes into play. 

Wordfence discovered another bug, assigned a CVSS severity score of 9.9, which was caused by verification failures on profile updates. 

Ultimate Member allows for the creation of new roles and also permits site administrators to assign secondary roles for users. Therefore, a user could have default rights on signup, but could then be assigned a secondary role that gives them additional privileges. 

CNET: Zoom agrees to implement more security for video calls under FTC settlement

The function that facilitates extra role assignments, profile_update leans on other functions that do not perform the right checks, and so an attacker could supply a post field to assign themselves a high-privilege role. 

"This meant that any user with wp-admin access to the profile.php page, whether explicitly allowed or via another vulnerability used to gain that access, could supply the parameter um-role with a value set to any role including 'administrator' during a profile update and effectively escalate their privileges to those of that role," Wordfence says. 

Wordfence discovered the trio of vulnerabilities between October 19 and 23, 2020. By October 26, the developer had been reached and confirmed the existence of the security issues. 

TechRepublic: How to securely donate old Windows 10 PCs

On October 26, the developer provided the Wordfence team a patched copy of the software for analysis but the security issues still existed. It took a further four days for a working patch to be developed and rolled out. 

A security fix was released in version 2.1.12 of Ultimate Member. At the time of writing, over 80% of users have upgraded and are now protected against exploitation of the privilege escalation vulnerabilities. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0