CVE-2023–51356: ARMember <= 4.0.10 — Authenticated Privilege Escalation
About Plugins
- Plugins name: ARMember — Membership Plugin, Content Restriction, Member Levels, User Profile & User signup
- Affected version: <= 4.0.10
- Plugins Home Page: https://wordpress.org/plugins/armember-membership/
Summary
Backend code of edit profile feature is vulnerable for Privilege Escalation attack. Attacker can manipulate request for getting higher “role” to their own account. How could that happen? read my explain below ^^
Vulnerable Code
- Filename: wp-content/plugins/armember-membership/core/classes/class.arm_member_forms.php
- Code:
When the users edit their profile, the submitted data is processed on function arm_shortcode_form_ajax_action(). And then, this function will run other function, that function is arm_update_member_profile(). See the code below
- Filename: wp-content/plugins/armember-membership/core/classes/class.arm_member_forms.php
- Code:
See the code above. On this function, submitted data will processed to database, that’s wp_update_user( $update_data ). And then, the code run do_action( ‘arm_member_update_meta’, $user_ID, $posted_data ) . But it’s not secure.
- Filename: wp-content/plugins/armember-membership/core/classes/class.arm_member_forms.php
- Code:
Why the code above is not secure? are you interested with “roles” ? right, the code will check the “role” key from submitted data. If exists, the code add “role” value to the $key variable. And while the function run `update_user_meta( $user_ID, $key, $val )`, the Privilege Escalation will happen.
Attack Scenario
1. Login as member
2. Go to edit profile page
3. Edit data
4. Submit and manipulate the request
Original Request:
Edited Request:
Timeline
- 31 July, 2023: Reported to Patchstack
- 31 August, 2023: Vulnerability Fixed
- 26 December, 2023: Publicy Disclosed
Support
