A vulnerability in the popular Last Member WordPress plugin enables account takeover by exposing password reset links. The flaws make it possible for attackers with contributor-level authenticated access or higher to obtain password reset URLs for user accounts, including administrators.
The vulnerability affects up to 200,000 WordPress installations and is rated 8.8/10.
Ultimate Member WordPress Plugin
Ultimate Member is a membership and user profile plugin for WordPress that helps websites create online communities, membership sites, and user directories. It provides end-to-end registration, login, profiles, and searchable member profiles. The plugin allows users to become authors and create posts and comments.
Vulnerable to Verified Attackers
This is a confirmed vulnerability, which means that attackers must first obtain donor-level permission levels to exploit it. Successful exploitation of the vulnerability enables full website account takeover.
Password Reset Link Disclosure
Vulnerability is caused by three different faults that are dangerous when tied together.
The first flaw allows attackers to trick the plugin into treating arbitrary posts as legitimate member directories. A member directory is typically a controlled list of users displayed on a site, but flawed authentication makes it possible to redirect directory-related operations to attacker-controlled content.
The second flaw allows attackers to bypass restrictions on protected metadata fields. Metadata in WordPress often contains internal information that plugins expect that normal users cannot directly manipulate.
The third error is caused by the failure to correctly validate the names of the fields used when generating the user card data. Because of this missing authentication, attackers can request internal fields that should not be made public, including a password reset link.
Impact of Vulnerability
The password reset links are a temporary login confirmation. They must be confidential and sent only to the account holder at the time of password recovery.
Because the plugin fails to properly validate which fields can be requested, attackers can force the plugin to reveal those links that an attacker can use to reset the password of any account, including the administrator account that controls access to the website.
According to Wordfence:
“This makes it possible for authorized attackers with Contributor-level access and above to live leak password reset URLs for all users in the member list response, including administrators.”
Patch Available
The vulnerability affects all versions of Full Member up to and including version 2.11.4. A patch is available in version 2.12.0, which adds stricter validation regarding the management of member directories and allowed user data fields. Users of the Ultimate Member plugin are recommended to update to version 2.12.0 or newer as soon as possible.
Featured image by Shutterstock/Luis Molinero
