Exploiting Ultimate Member WordPress Plugin Vulnerability
On July 1st,2023, there was news that a “Vulnerability in WordPress plugin with 200,000+ active installations allows full site takeover with only “trivial” effort”.A CVE was also assigned to the vulnerability as CVE-2023–3460, with a CVSS v3.1 score of 9.8 (“critical”),
As there was no publicly available exploit to use then and there, I thought to delve into the plugin installed in a personal WP setup and explore what could be done to exploit it.
After some hours of website and understanding the process used by this plugin I got the route to the exploitation.
Exploitation Route:
If you have ever installed WordPress and watched its DB closely then you may have observed the things highlighted below. if not, no worries here is a brief explanation about the same(from Stack Overflow)
meta_key meta_value
wp_capabilities a:1:{s:13:"administrator";b:1;}
Time to kill
Now once I got the exploitation route it was just about using it in my exploit request and which let me achieve the admin-level privileges in the WP setup.
As a responsible disclosure, I have tried to hide max possible things in the video POC given here(So bear with me, those who want to have ready cake). However, enough hint is given to make your path easier to exploit.
Demo Time