cbcvebase.
CVE-2020-36155
published 2021-01-04

CVE-2020-36155: An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.97%
94.6th percentile
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.

Affected

1 ranges
VendorProductVersion rangeFixed in
ultimatememberultimate_member< 2.1.122.1.12

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/ultimate-member
path/register/
commandwp_capabilities%5Badministrator%5D=
  • During registration (POST /register), monitor for the presence of 'wp_capabilities[administrator]' (URL-encoded as wp_capabilities%5Badministrator%5D) in the POST body, which indicates an attempted privilege escalation via user meta injection.
  • A successful exploit results in a 302 redirect response containing a 'wordpress_logged_in' cookie and a body of length 1 — monitor for this pattern following a registration POST request.
  • After registration, the attacker accesses /wp-admin/users.php; a 200 response containing 'Edit Profile' and 'All Posts' confirms successful administrator privilege escalation.
  • Identify vulnerable WordPress installations by searching for '/wp-content/plugins/ultimate-member' in HTTP response bodies (Shodan/FOFA query).
  • ·The vulnerability affects Ultimate Member plugin versions before 2.1.12 for WordPress. The fix was introduced in version 2.1.12.
  • ·The exploit requires the WordPress site to have the Ultimate Member registration form publicly accessible (/register/). The attack is unauthenticated and requires no prior privileges.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.