A vulnerability in the popular Ultimate Member WordPress plugin enables account takeover by exposing password reset links. The flaw makes it possible for attackers with authenticated contributor-level access or higher to obtain password reset URLs for user accounts, including administrators.
The vulnerability affects up to 200,000 WordPress installations and is rated 8.8/10.
Ultimate Member WordPress Plugin
Ultimate Member is a membership and user profile plugin for WordPress that helps websites create online communities, membership portals, and user directories. It provides front-end registration, login, profiles, and searchable member directories. The plugin enables users to become authors and create posts and comments.
Vulnerable To Authenticated Attackers
This is an authenticated vulnerability, which means attackers need to first acquire contributor-level permission levels in order to exploit it. Successful exploitation of the vulnerability enables full website account takeover.
Password Reset Link Disclosure
The vulnerability is caused by three separate logic flaws that become dangerous when chained together.
The first flaw allows attackers to trick the plugin into treating arbitrary posts as legitimate member directories. A member directory is normally a controlled list of users displayed on the site, but the flawed validation makes it possible to redirect directory-related functionality toward attacker-controlled content.
The second flaw allows attackers to bypass restrictions on protected metadata fields. Metadata in WordPress often contains internal information that plugins expect normal users cannot manipulate directly.
The third flaw is due to a failure to properly validate field names used when generating user card data. Because of this missing validation, attackers can request internal fields that should never be exposed publicly, including the password reset link.
Impact Of The Vulnerability
Password reset links are effectively temporary login credentials. They are supposed to be private and sent only to the account owner during password recovery.
Because the plugin fails to properly validate which fields can be requested, attackers can force the plugin to disclose those reset links which an attacker can use to reset any account’s password, including for an administrator account which controls website access.
According to Wordfence:
“This makes it possible for authenticated attackers with Contributor-level access and above to leak live password reset URLs for all users in the member directory response, including administrators.”
Patch Available
The vulnerability affects all versions of Ultimate Member up to and including version 2.11.4. A patch is available in version 2.12.0, which adds stricter validation around member directory handling and allowed user data fields. Users of the Ultimate Member plugin are recommended to update to version 2.12.0 or newer immediately.
Featured Image by Shutterstock/Luis Molinero
