A WordPress plugin installed on more than 100,000 sites has three critical security bugs that each allow privilege escalation – and potentially full control over a target WordPress site.
The plugin, called Ultimate Member, allows web admins to add user profiles and membership areas to their web destinations. According to Wordfence researchers, the flaws make it possible for both authenticated and unauthenticated attackers to escalate their privileges during registration, to attain the status of an administrator.
“Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware,” Wordfence researchers detailed in a posting on Monday.
“WordPress plugins are some of the more popular attack vectors leveraged against websites,” Charles Ragland, security engineer at Digital Shadows, told Threatpost in an overview of the issues. “The Ultimate Member plugin is designed to provide administrators with features for user registration and account creation. The disclosed vulnerabilities included unauthenticated privilege escalation by sending arbitrary data in the user meta keys during registration or supplying an incorrect role parameter exposed by a lack of user input filtering. The third disclosed vulnerability involves gaining authenticated privilege escalation by abusing the profile update feature, where attackers can assign secondary admin roles to users without appropriate checks.”
Bug Details
The first flaw (CVEs are pending) carries a 10-out-of-10 rating on the CvSS scale. It exists in the way user-registration forms perform checks on submitted user data; unauthenticated attackers can supply arbitrary user meta keys during the registration process that affect how their roles are assigned.
“This meant that an attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta, which defines a user’s role,” Wordfence researchers explained. “During the registration process, submitted registration details were passed to the update_profile function, and any respective metadata that was submitted, regardless of what was submitted, would be updated for that newly registered user.”
This means that an attacker can simply supply “wp_capabilities[administrator]” as part of a registration request, which would give he or she an administrator role.
A second, related bug (also critical, with a 10 out of 10 ranking on the severity scale) arises from a lack of filtering on the role parameter that could be supplied during the registration process.
“An attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges,” according to Wordfence. “After updating the user meta, the plugin checked if the role parameter was supplied. If so, a few checks were processed to verify the role being supplied.”
To exploit this, attackers could enumerate any Ultimate Member role and supply a higher-privileged role while registering in the role parameter, according to Wordfence. Or, an attacker could supply a specific capability, before switching to another user account with elevated privileges.
“In either case, if wp-admin access was enabled for that user or role, then this vulnerability could be used in conjunction with the final vulnerability,” researchers explained.
That final, third bug is a critical-rated authenticated privilege-escalation issue that ranks 9.9 out of 10 on the severity scale. It exists due to a lack of capability checks on the Profile Update function of the plugin, researchers said.
“Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users,” they explained. “This was intended to allow a user to have default privileges for a built-in role, such as editor, but also have additional secondary privileges to extend capabilities of a membership site using Ultimate Member.”
Whenever a user’s profile is updated, the Profile Update function runs, which in turn updates the Ultimate Member role for any given user.
“This function used is_admin() alone without a capability check, making it possible for any user to supply the um-role post field and set their role to one of their choosing,” according to Wordfence. “This meant that any user with wp-admin access to the profile.php page, whether explicitly allowed or via another vulnerability used to gain that access, could supply the parameter um-role with a value set to any role including `administrator` during a profile update and effectively escalate their privileges to those of that role.”
All three bugs allow attackers to escalate their privileges with very little difficulty, and from there perform any task on affected websites.
“These are critical and severe vulnerabilities that are easy to exploit,” according to Wordfence researchers. “Therefore, we highly recommend updating to the patched version, 2.1.12, immediately.”
WordPress Plugins on Security Parade
Plugins are a consistent attack vector for cyberattackers taking aim at websites.
Last week, a security vulnerability in the Welcart e-Commerce plugin was found to open up websites to code injection. This can lead to payment skimmers being installed, crashing of the site or information retrieval via SQL injection, researchers said.
In October, two high-severity vulnerabilities were disclosed in Post Grid, a WordPress plugin with more than 60,000 installations, which open the door to site takeovers. And in September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.
Earlier, in August, a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. Also in August, Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.
And, researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.