Ultimate Member WordPress Plugin Vulnerability Affects Up To 200k Sites

A vulnerability within the widespread Final Member WordPress plugin allows account takeover by exposing password reset hyperlinks. The flaw makes it doable for attackers with authenticated contributor-level entry or increased to acquire password reset URLs for consumer accounts, together with directors.

The vulnerability impacts as much as 200,000 WordPress installations and is rated 8.8/10.

Final Member WordPress Plugin

Final Member is a membership and consumer profile plugin for WordPress that helps web sites create on-line communities, membership portals, and consumer directories. It supplies front-end registration, login, profiles, and searchable member directories. The plugin allows customers to grow to be authors and create posts and feedback.

Susceptible To Authenticated Attackers

That is an authenticated vulnerability, which implies attackers have to first purchase contributor-level permission ranges with a purpose to exploit it. Profitable exploitation of the vulnerability allows full web site account takeover.

Password Reset Hyperlink Disclosure

The vulnerability is brought on by three separate logic flaws that grow to be harmful when chained collectively.

The primary flaw permits attackers to trick the plugin into treating arbitrary posts as official member directories. A member listing is generally a managed listing of customers displayed on the location, however the flawed validation makes it doable to redirect directory-related performance towards attacker-controlled content material.

The second flaw permits attackers to bypass restrictions on protected metadata fields. Metadata in WordPress usually incorporates inner info that plugins count on regular customers can’t manipulate immediately.

The third flaw is because of a failure to correctly validate area names used when producing consumer card information. Due to this lacking validation, attackers can request inner fields that ought to by no means be uncovered publicly, together with the password reset hyperlink.

Influence Of The Vulnerability

Password reset hyperlinks are successfully short-term login credentials. They’re purported to be non-public and despatched solely to the account proprietor throughout password restoration.

As a result of the plugin fails to correctly validate which fields may be requested, attackers can power the plugin to reveal these reset hyperlinks which an attacker can use to reset any account’s password, together with for an administrator account which controls web site entry.

In accordance with Wordfence:

“This makes it doable for authenticated attackers with Contributor-level entry and above to leak dwell password reset URLs for all customers within the member listing response, together with directors.”

Patch Accessible

The vulnerability impacts all variations of Final Member as much as and together with model 2.11.4. A patch is offered in model 2.12.0, which provides stricter validation round member listing dealing with and allowed consumer information fields. Customers of the Final Member plugin are beneficial to replace to model 2.12.0 or newer instantly.

Featured Picture by Shutterstock/Luis Molinero