CVE-2020-36155 Scanner

Ultimate Member is a popular WordPress plugin used to manage community-driven sites with user profiles. It's widely used by businesses, personal bloggers, and organizations wanting to add extensive membership features to their WordPress site. The plugin allows site administrators to create custom user roles and capabilities, aiming to create a versatile community platform. Ultimate Member simplifies the process of adding front-end user profiles, registration, and login forms, making it appealing to non-technical users. This plugin is attractive to developers for its ease of use and readily available extensions. Its flexibility supports various website types, from academic platforms to service-based businesses.

The vulnerability previously found in Ultimate Member before version 2.1.12 allows unauthenticated privilege escalation via user metadata manipulation during the registration process. By manipulating parameters such as wp_capabilities, an attacker could gain unauthorized access to administrative privileges. The direct effect of this flaw lets an attacker impersonate a high-privileged user role without proper authorization checks. This vulnerability enables malicious actors to alter site settings, upload malicious content, and gain full control over a vulnerable WordPress site. The severity of this exploit emphasizes the importance of prompt patching to secure WordPress installations.

The technical details reveal that the vulnerability involves submitting an array parameter for sensitive metadata during the registration process. These parameters were not properly validated, hence allowing for wp_capabilities[administrator] to be included for registering accounts with administrator roles. The issue arises because all submitted registration details were forwarded to the update_profile function, which did not adequately enforce controls against improper metadata entries. Attackers could use crafted HTTP requests to exploit this flaw effectively and transform any registering user into an administrator. This lack of restriction on registration parameters introduced the potential for high-impact privilege escalation, highlighting the need for more stringent server-side data validation.

When exploited, this vulnerability allows attackers to gain administrative access to the entire site. This access can lead to the modification or deletion of content, the installation of malware, and potentially taking over the site to conduct further attacks, such as data theft or phishing. The compromised site can be used to launch attacks on users' personal information stored within the WordPress database as well as host malicious activities under the guise of a legitimate site. This disruption could lead to significant reputational and financial damage to the affected site owners.

REFERENCES

• https://wpscan.com/vulnerability/cf13b0f8-5815-4d27-a276-5eff8985fc0b/
• https://nvd.nist.gov/vuln/detail/CVE-2020-36155
• https://wordpress.org/plugins/ultimate-member/#developers