Ultimate Member WordPress Plugin Vulnerability Affects Up To 200k Sites

A vulnerability successful the celebrated Ultimate Member WordPress plugin enables relationship takeover by exposing password reset links. The flaw makes it imaginable for attackers pinch authenticated contributor-level entree aliases higher to get password reset URLs for personification accounts, including administrators.

The vulnerability affects up to 200,000 WordPress installations and is rated 8.8/10.

Ultimate Member WordPress Plugin

Ultimate Member is simply a rank and personification floor plan plugin for WordPress that helps websites create online communities, rank portals, and personification directories. It provides front-end registration, login, profiles, and searchable personnel directories. The plugin enables users to go authors and create posts and comments.

Vulnerable To Authenticated Attackers

This is an authenticated vulnerability, which intends attackers request to first get contributor-level support levels successful bid to utilization it. Successful exploitation of the vulnerability enables afloat website relationship takeover.

Password Reset Link Disclosure

The vulnerability is caused by 3 abstracted logic flaws that go vulnerable erstwhile chained together.

The first flaw allows attackers to instrumentality the plugin into treating arbitrary posts arsenic morganatic personnel directories. A personnel directory is usually a controlled database of users displayed connected the site, but the flawed validation makes it imaginable to redirect directory-related functionality toward attacker-controlled content.

The 2nd flaw allows attackers to bypass restrictions connected protected metadata fields. Metadata successful WordPress often contains soul accusation that plugins expect normal users cannot manipulate directly.

The 3rd flaw is owed to a nonaccomplishment to decently validate section names utilized erstwhile generating personification paper data. Because of this missing validation, attackers tin petition soul fields that should ne'er beryllium exposed publicly, including the password reset link.

Impact Of The Vulnerability

Password reset links are efficaciously impermanent login credentials. They are expected to beryllium backstage and sent only to the relationship proprietor during password recovery.

Because the plugin fails to decently validate which fields tin beryllium requested, attackers tin unit the plugin to disclose those reset links which an attacker tin usage to reset immoderate account’s password, including for an administrator relationship which controls website access.

According to Wordfence:

“This makes it imaginable for authenticated attackers pinch Contributor-level entree and supra to leak unrecorded password reset URLs for each users successful the personnel directory response, including administrators.”

Patch Available

The vulnerability affects each versions of Ultimate Member up to and including type 2.11.4. A spot is disposable successful type 2.12.0, which adds stricter validation astir personnel directory handling and allowed personification information fields. Users of the Ultimate Member plugin are recommended to update to type 2.12.0 aliases newer immediately.

Featured Image by Shutterstock/Luis Molinero