Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities



Description
Multiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Authenticated (using a low privilege account, such as subscriber) Remote Code Execution on default Installation, as well as PII disclosure (such as emails, IP addresses, hashed passwords, usernames, User-Agent and so on), due to lack of authorisation checks.

Edit (WPScanTeam):
February 3rd, 2020 - Report Received & Envato Contacted
February 4th, 2020 - Envato Investigating
February 4th, 2020 - v8.6.1 released, devs replied (via Envato) that the issues were due to the nulled plugin used by the researcher. We can confirm that the issues were valid and not due to a nulled plugin liked claimed. Furthermore, the attempted fixes are not sufficient enough and Envato has been notified again.
Proof of Concept The PoC will be displayed on March 06, 2020, to give users the time to update.

Affects Plugin

fixed in version 8.6.1

References

URL https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher Noman Riffat
Submitter Noman Riffat
Submitter Twitter nomanriffat
Views 3683
Verified No
WPVDB ID 10061

Timeline

Publicly Published 2020-02-06 (15 days ago)
Added 2020-02-06 (14 days ago)
Last Updated 2020-02-17 (3 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin