Shortcode Injection Vulnerability
Ultimate Member versions older than 1.3.84 allow unauthenticated users to execute arbitrary WordPress shortcodes via AJAX. The vulnerable code exists as far back as version 1.0.0 when the plugin was first published. If you are using any version of this plugin, update immediately. At this time, the plugin revision notes do not address this vulnerability nor has the developer released any information related to this issue.
The default WordPress shortcodes are relatively secure but other installed plugins often include insecure shortcodes, including the Ultimate Member plugin. Some of the Ultimate Member shortcodes are documented at http://docs.ultimatemember.com/article/210-ultimate-member-shortcodes.
Executing arbitrary shortcodes
Ultimate Member adds the ‘ultimatemember_frontend_modal’ AJAX action which is accessible to anyone whether they are logged in or not. This allows passing arbitrary arguments to the do_shortcode() function and returns the results.
Include arbitrary PHP files
Using directory traversal and the ‘ultimatemember_account’ shortcode PHP files accessible on the host can be included. The following function is what is called when the ‘ultimatemember_account’ shortcode is executed.
Adding a template argument to the shortcode allows the PHP file to be included.
For example the following shortcode call allows viewing some user stats from the dashboard:
If a method could be discovered that allows uploading arbitrary PHP code, this could be used to execute that code.
- 2/27/2017 Notified developer of issue
- 3/9/2017 Second notification to developer
- 3/10/2017 ‘Clean up’ commit on GitHub
- 3/10/2017 Developer reply saying they removed the offending code
- 4/17/2017 5:30AM PST Version 1.3.84 tagged in GitHub
- 4/17/2017 6:34PM PST Version 1.3.84 released on wordpress.org
Ultimate Member versions less than 1.3.76 contain a critical security issue that allows unauthenticated users to reset any users password to an arbitrary value. This could allow an external attacker to take over an Administrator account and completely compromise the WordPress website. The WordPress.org repository claims there are 40,000+ active installs of this plugin, though there is no way of knowing how many are running vulnerable versions.
If you are running an older version, upgrade immediately. This flaw exists as far back as 1.0.0, which was the initial release of the plugin. The change log for the plugin doesn’t mention the specific flaw and
at this time I have not seen an announcement from the Ultimate Member developer. On December 8th, the developer published a blog post and a twitter post regarding the issue.
Due to the severity of this vulnerability, I will not provide specific details of the vulnerability at this time.
- 11/22/2016 12:00pm Sent vulnerability information to vendor
- 11/23/2016 3:40am Vendor replied saying issue was resolved with github commit b66c99b
- 11/23/2016 8:45am Sent followup to vendor explaining additional vulnerability
- 11/28/2016 4:52am Received vendor response saying additional fix was added with github commit c54e8d3
- 11/28/2016 Ultimate Member version 1.3.76 released
It had been over a year since I last looked at the Ultimate Member plugin. The free version claims to have 30,000+ installs now on the wordpress.org repository page.
I have a need for a project I’m working on and was hoping it would be a good fit. After a bit of digging I noticed a severe issue that allowed a logged in user to modify arbitrary user_meta data.
Most of the information a user could edit through their user profile page, but there are certain data pairs that should not be able to be modified (like the wp_capabilities field). If a user is able to change this they can give themselves administrator privileges on a site.