CVE-2020-36155
published 2021-01-04CVE-2020-36155: An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.97%
94.6th percentile
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ultimatemember | ultimate_member | < 2.1.12 | 2.1.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →During registration (POST /register), monitor for the presence of 'wp_capabilities[administrator]' (URL-encoded as wp_capabilities%5Badministrator%5D) in the POST body, which indicates an attempted privilege escalation via user meta injection. ↗
- →A successful exploit results in a 302 redirect response containing a 'wordpress_logged_in' cookie and a body of length 1 — monitor for this pattern following a registration POST request. ↗
- →After registration, the attacker accesses /wp-admin/users.php; a 200 response containing 'Edit Profile' and 'All Posts' confirms successful administrator privilege escalation. ↗
- →Identify vulnerable WordPress installations by searching for '/wp-content/plugins/ultimate-member' in HTTP response bodies (Shodan/FOFA query). ↗
- ·The vulnerability affects Ultimate Member plugin versions before 2.1.12 for WordPress. The fix was introduced in version 2.1.12. ↗
- ·The exploit requires the WordPress site to have the Ultimate Member registration form publicly accessible (/register/). The attack is unauthenticated and requires no prior privileges. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9pq7-v5jj-f484: An issue was discovered in the Ultimate Member plugin before 2
ghsa_unreviewed·2022-05-24
CVE-2020-36155 [CRITICAL] CWE-269 GHSA-9pq7-v5jj-f484: An issue was discovered in the Ultimate Member plugin before 2
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.
VulnCheck
Ultimate Member ultimate_member Improper Privilege Management
vulncheck·2020·CVSS 10.0
CVE-2020-36155 [CRITICAL] Ultimate Member ultimate_member Improper Privilege Management
Ultimate Member ultimate_member Improper Privilege Management
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.
Affected: Ultimate Member ultimate_member
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-int
No detection rules found.
Nuclei
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
nuclei·CVSS 9.8
CVE-2020-36155 [CRITICAL] Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.
Template:
id: CVE-2020-36155
info:
name: Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta
author: riteshs4hu
severity: critical
description: |
An issue was discovered in the Ultimate Member plugin before 2.1.12 for
No writeups or analysis indexed.
https://wordpress.org/plugins/ultimate-member/#developershttps://wpscan.com/vulnerability/cf13b0f8-5815-4d27-a276-5eff8985fc0bhttps://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabilities-affect-100k-sites-using-ultimate-member-plugin/https://wordpress.org/plugins/ultimate-member/#developershttps://wpscan.com/vulnerability/cf13b0f8-5815-4d27-a276-5eff8985fc0bhttps://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabilities-affect-100k-sites-using-ultimate-member-plugin/
2021-01-04
Published
Exploited in the wild