#VU24502 Improper access control in Ultimate Member - User Profile & Membership Plugin - CVE-2020-6859

Cybersecurity Help s.r.o.

Published: 2020-01-24

Vulnerability identifier: #VU24502

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-6859

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ultimate Member - User Profile & Membership Plugin
Web applications / Modules and components for CMS

Vendor: Ultimate Member

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to Insecure Direct Object Reference (IDOR) issue in includes/core/class-files.php. A remote attacker can bypass implemented security restrictions and change other users' profiles and cover photos via a modified "user_id" parameter. This is related to "ajax_image_upload" and "ajax_resize_image".

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ultimate Member - User Profile & Membership Plugin: 1.0.0 - 2.1.2

External links
https://github.com/ultimatemember/ultimatemember/blob/627bbb0fae81ac34c60b43f0867eadcf8e1bc523/includes/core/class-files.php#L269
https://github.com/ultimatemember/ultimatemember/blob/627bbb0fae81ac34c60b43f0867eadcf8e1bc523/includes/core/class-files.php#L310
https://github.com/ultimatemember/ultimatemember/commit/249682559012734a4f7d71f52609b2f301ea55b1
https://wordpress.org/plugins/ultimate-member/#developers
https://wpvulndb.com/vulnerabilities/10041

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper access control in Ultimate Member – User Profile & Membership Plugin for WordPress