Ultimate Member versions less than 1.3.76 contain a critical security issue that allows unauthenticated users to reset any users password to an arbitrary value. This could allow an external attacker to take over an Administrator account and completely compromise the WordPress website. The WordPress.org repository claims there are 40,000+ active installs of this plugin, though there is no way of knowing how many are running vulnerable versions.
If you are running an older version, upgrade immediately. This flaw exists as far back as 1.0.0, which was the initial release of the plugin. The change log for the plugin doesn’t mention the specific flaw and
at this time I have not seen an announcement from the Ultimate Member developer. On December 8th, the developer published a blog post and a twitter post regarding the issue.
Due to the severity of this vulnerability, I will not provide specific details of the vulnerability at this time.
- 11/22/2016 12:00pm Sent vulnerability information to vendor
- 11/23/2016 3:40am Vendor replied saying issue was resolved with github commit b66c99b
- 11/23/2016 8:45am Sent followup to vendor explaining additional vulnerability
- 11/28/2016 4:52am Received vendor response saying additional fix was added with github commit c54e8d3
- 11/28/2016 Ultimate Member version 1.3.76 released
It had been over a year since I last looked at the Ultimate Member plugin. The free version claims to have 30,000+ installs now on the wordpress.org repository page.
I have a need for a project I’m working on and was hoping it would be a good fit. After a bit of digging I noticed a severe issue that allowed a logged in user to modify arbitrary user_meta data.
Most of the information a user could edit through their user profile page, but there are certain data pairs that should not be able to be modified (like the wp_capabilities field). If a user is able to change this they can give themselves administrator privileges on a site.
While sitting and waiting for my daughter at gymnastics several weeks ago I noticed an announcement for Ultimate Member plugin, sounded interesting so I bookmarked it to check out later.
Fast forward till last week when I noticed it sitting there and decided to take a look at it. I noticed a couple security issues and contacted the developers.
There were a few minor issues that they fixed, but the major ones are critical. If you are using this plugin, Update Immediately!
Delete any file
We’ve got an un-authenticated AJAX action to delete files here.
We definitely need some authorization on the user and/or the specific file to be deleted there when the AJAX call comes in.
Well at least delete_file() is calling um_is_temp_upload() to make sure the file is a temporary file.
Uh-oh. It’s only pulling ‘/ultimatemember/temp/’ off the beginning. So it will happily take ‘../’ in the path and you can use it to delete any file that the user running php has permissions for.
Upload arbitrary files
Multiple issues all come together to make this especially evil.
First off, the um-file-upload.php can be called directly and it bootstraps WordPress. I’d rather send every request through WordPress and not allow direct access to anything.
Then we call check_file_upload() and only move the file if it doesn’t return an error.
Cool, check_file_upload() at least checks for allowed extensions from an array. So if I try to upload something ending in .php it sets ‘$error = $data[‘extension_error’]; Here’s the rub, since user input is passed into check_file_upload(), get_field($field) call will return null if $field is some invalid field. So the end result is check_file_upload() is going to return null;
Now we’ve got a file uploaded and it even kicks back the full path that you need to call the file. Assuming the host will allow code execution from the uploads directory, you can now run code as the user running php.