Ultimate Member plugin(CVE-2024-1071)

Exploiting CVEs
March 22, 2024

Hello readers, welcome to this informative blog post. Today, we’ll explore a critical security vulnerability that has recently come to light in the Ultimate Member plugin for WordPress. This flaw, identified as CVE-2024-1071, poses a significant risk to over 200,000 active installations of the plugin. So, let’s roll up our sleeves and understand the intricacies of this issue.

Overview

The Ultimate Member plugin, widely embraced for elevating user engagement and community-building features on WordPress websites, has unfortunately been discovered with vulnerabilities. Specifically, versions 2.1.3 to 2.8.2 of the Ultimate Member plugin are affected. The heart of the problem lies in an unauthenticated SQL Injection flaw associated with the ‘sorting’ parameter. But what does that mean?

When attackers exploit this weakness, they can inject malicious SQL queries into affected websites. The vulnerability arises due to insufficient input sanitization and inadequate query preparation. In simpler terms, the plugin doesn’t properly handle user input related to sorting, leaving a door wide open for attackers to wreak havoc.

The severity of the situation is underscored by a CVSS score of 9.8, classifying it as critical. This score indicates that attackers could potentially extract sensitive data from compromised databases, posing a severe threat to website security. Imagine the impact on website security when adversaries gain unauthorized access to user information, login credentials, or other critical data.

Adding to the urgency is the active exploitation of this vulnerability by a pro-Palestinian group known as "Handala." Employing sophisticated techniques, including Time-Based blind SQL Injection, they capitalize on this flaw swiftly. 

Technical Details of CVE-2024-1071

The vulnerability within the Ultimate Member plugin revolves around the 'sorting' parameter, a pivotal element that oversees user interactions within the plugin. Specifically linked to the /wp-admin/admin-ajax.php endpoint, responsible for managing sorting requests and displaying data, the 'sorting' parameter plays a crucial role during tasks such as viewing user profiles or handling community content.

At the core of the problem lies in how the plugin manages user input associated with the 'sorting' parameter. Regrettably, the plugin lacks adequate validation and sanitization measures for this input, leading to a vulnerability. Essentially, any input, regardless of malicious intent, can navigate through the system undetected. This gap in the validation process is particularly concerning as the plugin constructs SQL queries based on user input and using that SQL statement, interacts with the backend database management system. It's noteworthy to mention that this attack doesn't require any authentication to be executed. This means that potential attackers can exploit the vulnerability without needing any prior authentication, raising the urgency for immediate action to address this security flaw within the Ultimate Member plugin.

Importantly, users who have opted to enable the “Enable custom table for usermeta” setting within the plugin configuration are at heightened risk. 

Identifying and Exploiting the Vulnerability

Prepare for a hands-on demonstration where we'll be setting up a lab to showcase the vulnerability within the Ultimate Member plugin. This practical session aims to provide a clear understanding of the exploit, illustrating the potential risks and consequences associated with this identified security flaw. 

To get started, ensure you have Docker installed on your system. Below is the Docker Compose configuration that you can use to set up the lab environment:


version: '3.3'

services:
  db:
    image: mysql:8.0
    environment:
      MYSQL_ROOT_PASSWORD: somewordpress
      MYSQL_DATABASE: wordpress
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: wordpress

  wordpress:
    image: wordpress:latest
    ports:
      - "8080:80"
    depends_on:
      - db
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: wordpress
      WORDPRESS_DB_NAME: wordpress
    volumes:
      - ./wp-content:/var/www/html/wp-content

Copy this code into a docker-compose.yml file. This docker-compose.yml file specifies MySQL version 8.0 and uses the latest version of the WordPress image. Now open a terminal, navigate to the directory containing the file, and run the command: docker-compose up --build . This will pull the required Docker images and set up a local WordPress instance with the identified vulnerability. After the containers are running, you can access the local WordPress site by opening http://localhost:8080 in your web browser.

Upon accessing the url, set up the environment with all necessary details and access the admin dashboard. To proceed with the demonstration, install the vulnerable version of the Ultimate Member plugin by downloading it here. Once downloaded, navigate to the WordPress admin dashboard, go to the "Plugins" section, select "Add New," choose "Upload Plugin," upload the downloaded file, and activate the plugin. With the vulnerable version in place, we're ready to explore.

Additionally, activate the plugin by navigating to http://localhost:8080/wp-admin/plugins.php. After activation, check the  “enable the custom table for usermeta” option by visiting http://localhost8080/wp-admin/admin.php?page=um_options&tab=misc. These settings are crucial for our demonstration, allowing us to simulate and understand the intricacies of the identified security flaw in the Ultimate Member plugin.

When conducting a penetration test on a real WordPress website, the initial step involves identifying the plugins running on the site, along with their version numbers. To facilitate this process, WPScan can be a valuable tool. You can find WPScan on GitHub: https://github.com/wpscanteam/wpscan. This tool is designed to efficiently enumerate and gather information about plugins, themes, and the overall WordPress environment.

Fig: Identifying the plugins

The WPscan identifies the plugin running along with its version. Besides that, It also said that it is vulnerable to CVE - 2024-1071. So now we proceed to exploit the identified issue within this plugin. We'll be utilizing a proof of concept (POC) created by the Github user "gbrsh." Begin by downloading the POC script from the following link: https://github.com/gbrsh/CVE-2024-1071/blob/main/exploit.py. Once downloaded, run the script by specifying the target:

This confirms the vulnerability of the site with version 2.8.2. With this information in hand, proceed to use sqlmap to exploit the vulnerability. Run the following sqlmap command:

$ sqlmap -u http://X.X.X.180:8080/wp-admin/admin-ajax.php --method POST --data "action=um_get_members&nonce=bd270be243&directory_id=b9238&sorting=user_login" --dbms mysql --technique=T -p sorting

This command leverages sqlmap to interact with the vulnerable site, utilizing the identified parameters to exploit the SQL injection vulnerability and retrieve valuable information from the backend database.

The sqlmap scan results indicate that the POST parameter 'sorting' is indeed vulnerable to time-based blind SQL injection. Here's a summary of the findings:

  • The injection point on POST parameter 'sorting' has been identified as 'MySQL >= 5.0.12 AND time-based blind (query SLEEP).'
  • SQLmap successfully confirmed the vulnerability with a time-based blind injection test.
  • The backend database management system (DBMS) is identified as MySQL >= 5.0.12.

Mitigation

Here are the steps you can take to safeguard your WordPress site:

  • Update the Plugin Promptly: The plugin developers have swiftly addressed the issue by releasing version 2.8.3 on February 19. Strongly urge your users to update their Ultimate Member plugin to the latest version without delay. Timely updates are crucial, especially given attackers’ effectiveness in exploiting vulnerabilities within a short timeframe.
  • Disable the “Enable Custom Table for Usermeta” Option: If your users have enabled this option within the plugin settings, they are particularly vulnerable. Disabling it can mitigate the risk associated with the unauthenticated SQL Injection flaw.

References

Related posts :

Exploiting CVEs

Exploiting CVEs
April 1, 2024

Text4Shell(CVE-2022-42889)

Blog on CVE-2022-42889 explores a critical vulnerability found in Apache commons text in October 2022. Let's jump into its technicality.
Read More
Exploiting CVEs
March 29, 2024

RCE on MobSF(CVE-2024-21633)

This CVE exposes a critical security vulnerability in Apktool, a widely-used tool for reverse engineering closed-source, third-party Android apps.
Read More
Exploiting CVEs

Path Traversal in Openfire Admin Console

Enter CVE-2023-32315, an authentication bypass vulnerability discovered in Openfire, a popular XMPP server. This exploit grants malicious actors unrestricted access to the Openfire administrative console.
Read More
Web App Security
Web App Security
March 3, 2018

How missing access control can make your application hacker-friendly?

Welcome back, my hacker friends. If you have already gone through the OWASP TOP 10 for 2017, you will find that Broken Access…
Read More
Web App Security
November 21, 2017

Common security issues in Authentication – Part 1

Hey, everyone. This topic of authentication testing will actually be divided into two posts as it is quite a long topic and…
Read More
Web App Security
March 14, 2018

How self XSS got turned into a stored XSS?

self XSS Hey everyone. Our company ENCIPHERS recently conducted a penetration test for a certain client XYZ and in this post...
Read More

Mobile App Security

Mobile App Security
November 26, 2019

Awesome Android Application Security

Android Application Security This is a write-up of Android Application Security resources and tools which helps in Android...
Read More
Mobile App Security
July 2, 2023

Exploring Android Security: Safeguarding The Droid

The Android architecture implements different security layers that, together, enable a defense-in-depth approach. This means that the confidentiality, integrity or availability of sensitive user-data doesn't hinge on one single security measure.
Read More
Mobile App Security
January 15, 2020

Xposed Framework Plugins For Android Pentesting

The workflow of Xposed framework Plugins for Android Pentesting Xposed framework Plugins for Android Pentesting helps in...
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2022, All Rights Reserved