MemberSonic Lite <= 1.2 allows login without proper authorization

While looking for a membership plugin for WordPress I stumbled on MemberSonic and the free version of their plugin MemberSonic Lite. After a 10 minute wait while watching their promotional video they finally email you a link to the Lite version. I could not find any indication on the site regarding how many sites/users their plugins have. It appears that they released something back in September of 2012, so there must be more than a handful of users out there.

Anyone using MemberSonic Lite should upgrade immediately, version 1.2 has a flaw allowing an unauthorized user to login to any account simply by knowing the email address associated with the account, this includes any accounts with administrator privileges.

I do not know if this affects the commercial version of the product and I have not done any further auditing of the Lite product. As of 6/28/2016, there has not been a new posting on their blog related to this issue or announcing an update to the Pro version.

Timeline

  • 6/20/2016 12:51pm Initial email attempt
  • 6/22/2016 7:45am Additional email attempt
  • 6/23/2016 2:49pm Final email attempt
  • 6/23/2016 3:07pm Email response received
  • 6/23/2016 3:16pm Full disclosure email sent
  • 6/24/2016 9:53am Received updated version 1.301
  • 6/24/2016 1:19pm Received updated version 1.302 that resolves original issue

Advanced Access Manager <= 3.2.1 Severe Security Vulnerability

In the quest for a good solution to allow different groups to control their own content on a WordPress site, I came across the Advanced Access Manager plugin. During a standard cursory investigation of the code I discovered that any logged in user could execute any of the AJAX actions without proper authorization.

As a normal subscriber account, I was able to give myself administrator privileges on the site and do much more.

The wordpress.org repository claims there are 50,000+ active installs of this plugin.  If you are using a version <= 3.2.1, upgrade immediately.

Nonce Leak

The AJAX actions were protected only with the ‘aam_ajax’ nonce which could be leaked by passing in HTTP POST variable ‘action=aam’. The following function is called from the ‘admin_print_scripts’ action, which in turn calls the printLocalization() function which includes the nonce.

aam-nonce-leak

aam-nonce-leak1

Unrestricted AJAX Actions

Once you have acquired a valid nonce, as a logged in user you can then call the ‘aam’ AJAX action.

aam-ajax

Which will allow you to call any function in the ‘AAM_Backend_View’ class or in any class that begins with ‘AAM_Backend_’

aam-ajax1

Almost every action taken by this plugin goes through this function, so anything that an administrator can do is now accessible to anyone with basic login credentials.

Timeline

  • 5/11/2016 8:25pm Submitted contact form for initial contact
  • 5/12/2016 5:34am Response received
  • 5/12/2016 8:10am Initial Disclosure
  • 6/15/2016 GitHub repository updated
  • 6/20/2016 Version 3.2.2 released

Ultimate Member <= 1.3.52 allows users to set arbitrary user meta data

It had been over a year since I last looked at the Ultimate Member plugin. The free version claims to have 30,000+ installs now on the wordpress.org repository page.

I have a need for a project I’m working on and was hoping it would be a good fit. After a bit of digging I noticed a severe issue that allowed a logged in user to modify arbitrary user_meta data.

Most of the information a user could edit through their user profile page, but there are certain data pairs that should not be able to be modified (like the wp_capabilities field).  If a user is able to change this they can give themselves administrator privileges on a site.

Timeline