Exploit for php platform in category web applications
Product: Ultimate Member WordPress plugin
Vendor: Ultimate Member
Vulnerable Version(s): 1.3.28 and probably prior
Tested Version: 1.3.28
Advisory Publication: October 29, 2015 [without technical details]
Vendor Notification: October 29, 2015
Vendor Patch: October 31, 2015
Public Disclosure: November 19, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-8354
Risk Level: Medium
CVSSv3 Base Score: 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Ultimate Member WordPress plugin, intended for managing usersβ profiles. The vulnerability can be used against website administrators to perform Cross-Site Scripting (XSS) attacks.
Anonymous attacker might be able to steal administrator's cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the website administrator follows a specially crafted link with XSS exploit.
The vulnerability is caused by absence of filtration of input-data passed via the "_refer" HTTP GET parameter to "wp-admin/users.php" script, when "update" is set to value "confirm_delete". A remote unauthenticated attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
A simple exploit below will display JS popup with "ImmuniWeb" word:
http://[host]/wp-admin/users.php?update=confirm_delete&_refer='"><script>alert('ImmuniWeb');</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Ultimate Member 1.3.29
# 0day.today [2018-01-01] #