While looking for a membership plugin for WordPress I stumbled on MemberSonic and the free version of their plugin MemberSonic Lite. After a 10 minute wait while watching their promotional video they finally email you a link to the Lite version. I could not find any indication on the site regarding how many sites/users their plugins have. It appears that they released something back in September of 2012, so there must be more than a handful of users out there.
Anyone using MemberSonic Lite should upgrade immediately, version 1.2 has a flaw allowing an unauthorized user to login to any account simply by knowing the email address associated with the account, this includes any accounts with administrator privileges.
I do not know if this affects the commercial version of the product and I have not done any further auditing of the Lite product. As of 6/28/2016, there has not been a new posting on their blog related to this issue or announcing an update to the Pro version.
- 6/20/2016 12:51pm Initial email attempt
- 6/22/2016 7:45am Additional email attempt
- 6/23/2016 2:49pm Final email attempt
- 6/23/2016 3:07pm Email response received
- 6/23/2016 3:16pm Full disclosure email sent
- 6/24/2016 9:53am Received updated version 1.301
- 6/24/2016 1:19pm Received updated version 1.302 that resolves original issue
In the quest for a good solution to allow different groups to control their own content on a WordPress site, I came across the Advanced Access Manager plugin. During a standard cursory investigation of the code I discovered that any logged in user could execute any of the AJAX actions without proper authorization.
As a normal subscriber account, I was able to give myself administrator privileges on the site and do much more.
The wordpress.org repository claims there are 50,000+ active installs of this plugin. If you are using a version <= 3.2.1, upgrade immediately.
The AJAX actions were protected only with the ‘aam_ajax’ nonce which could be leaked by passing in HTTP POST variable ‘action=aam’. The following function is called from the ‘admin_print_scripts’ action, which in turn calls the printLocalization() function which includes the nonce.
Unrestricted AJAX Actions
Once you have acquired a valid nonce, as a logged in user you can then call the ‘aam’ AJAX action.
Which will allow you to call any function in the ‘AAM_Backend_View’ class or in any class that begins with ‘AAM_Backend_’
Almost every action taken by this plugin goes through this function, so anything that an administrator can do is now accessible to anyone with basic login credentials.
- 5/11/2016 8:25pm Submitted contact form for initial contact
- 5/12/2016 5:34am Response received
- 5/12/2016 8:10am Initial Disclosure
- 6/15/2016 GitHub repository updated
- 6/20/2016 Version 3.2.2 released
It had been over a year since I last looked at the Ultimate Member plugin. The free version claims to have 30,000+ installs now on the wordpress.org repository page.
I have a need for a project I’m working on and was hoping it would be a good fit. After a bit of digging I noticed a severe issue that allowed a logged in user to modify arbitrary user_meta data.
Most of the information a user could edit through their user profile page, but there are certain data pairs that should not be able to be modified (like the wp_capabilities field). If a user is able to change this they can give themselves administrator privileges on a site.