Ultimate Member <= 2.0.51 - CSRF and Stored XSS issues



Description
A CSRF vulnerability in adding/editing user roles in Ultimate Member 2.0.49. It also lead to stored XSS. 

Edit (WPScanTeam):
July 9th, 2019 - v2.0.50 released and still affected. Escalated to WP Plugins Team
July 9th, 2019 - v2.0.51 released, fixing the CSRF but not the XSS
July 11th, 2019 - Escalated again to WP Plugins team, as another XSS was reported on June 24th, 2019  (https://github.com/ultimatemember/ultimatemember/issues/578) and was still unfixed.
July 11th - v2.0.52 released fixing both XSS
Proof of Concept
Video POC : https://drive.google.com/file/d/1wz846fP9rB97PlRSlC4xHYW_Q5QJXK4s/view?usp=sharing

csrf-um.html : https://drive.google.com/file/d/1p6Rzw3ts7RASP4X7H8v2CI3TIXPVwVn1/view?usp=sharing

Affects Plugin

fixed in version 2.0.52

References

CVE 2019-14946
CVE 2019-14947

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher m0ns7er
Submitter Akash Labade
Submitter Website https://www.asfaleia.tech
Submitter Twitter akash_labade
Views 5387
Verified Yes
WPVDB ID 9449

Timeline

Publicly Published 2019-06-24 (5 months ago)
Added 2019-07-11 (4 months ago)
Last Updated 2019-08-24 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin