Ultimate Membership Pro < 8.6.2 - Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy



Description
Version 8.6.1 attempted fo fix multiple critical issues (mainly lack of authorisation checks, allowing low privileges users to call the admin functions of the plugin, leading to PII disclosure and login bypasses). However, the fixes were not sufficient:

- An indeedIsAdmin() check was added to all AJAX calls for authorisation, however the calls were still missing CSRF verification. As a result, an attacker could make a logged in administrator delete users and delete coupons for example (others actions may be done).

- The export.xml filename generation was changed to $filename = md5( time() . rand(1, 10000) . 'export' ) . '.xml’; (in admin/main.php, ihc_make_export_file()). Using time() here is not random enough. It seems like the ihc_make_csv_user_list() (in utilities.php) called by the AJAX ihc_return_csv_link() (in admin/main.php) was also affected as once again a time based value was used as a random bit to generate a hashed md5 filename. Other methods may be affected as well.

- The previously generated files from ihc_return_csv_link() and ihc_make_export_file() were not deleted. Even though the newly generated files were MD5 hashed strings (of non random bit through), leaving them there increase the risk of an attacker guessing them, which would lead to PII being leaked. Furthermore, the files generated from previous version, which do not contain any random bit in their name (ie export.xml) were not deleted as well.
Proof of Concept
CSRF to delete an arbitrary user:

<html>
  <body onload="document.forms[0].submit();">
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="ihc_delete_user_via_ajax" />
      <input type="hidden" name="id" value="1" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 8.6.2

References

URL https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
URL https://blog.wpscan.org/wpvulndb/report/2020/03/06/ultimate-membership-pro-recent-vulnerabilities-breakdown.html

Classification

Type MULTI

Miscellaneous

Original Researcher ErwanLR
Submitter Website https://wpscan.org
Submitter Twitter erwan_lr
Views 2245
Verified Yes
WPVDB ID 10086

Timeline

Publicly Published 2020-02-24 (about 1 month ago)
Added 2020-02-24 (about 1 month ago)
Last Updated 2020-03-07 (27 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin