Reflected XSS in Ultimate Member WordPress Plugin

High-Tech Bridge Security Research Lab discovered vulnerability in Ultimate Member WordPress plugin, intended for managing users’ profiles. The vulnerability can be used against website administrators to perform Cross-Site Scripting (XSS) attacks.

Anonymous attacker might be able to steal administrator’s cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the website administrator follows a specially crafted link with XSS exploit.

The vulnerability is caused by absence of filtration of input-data passed via the “_refer” HTTP GET parameter to “wp-admin/users.php” script, when “update” is set to value “confirm_delete”. A remote unauthenticated attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

A simple exploit below will display JS popup with “ImmuniWeb” word:

http://[host]/wp-admin/users.php?update=confirm_delete&_refer='"><script>ale rt(‘ImmuniWeb’);</script>