Ultimate Member WordPress Plugin Vulnerability Affects Up To 200k Sites

A vulnerability within the widespread Final Member WordPress plugin permits account takeover by exposing password reset hyperlinks. The flaw makes it attainable for attackers with authenticated contributor-level entry or greater to acquire password reset URLs for person accounts, together with directors.

The vulnerability impacts as much as 200,000 WordPress installations and is rated 8.8/10.

Final Member WordPress Plugin

Final Member is a membership and person profile plugin for WordPress that helps web sites create on-line communities, membership portals, and person directories. It offers front-end registration, login, profiles, and searchable member directories. The plugin permits customers to turn out to be authors and create posts and feedback.

Weak To Authenticated Attackers

That is an authenticated vulnerability, which implies attackers have to first purchase contributor-level permission ranges with a view to exploit it. Profitable exploitation of the vulnerability permits full web site account takeover.

Password Reset Hyperlink Disclosure

The vulnerability is brought on by three separate logic flaws that turn out to be harmful when chained collectively.

The primary flaw permits attackers to trick the plugin into treating arbitrary posts as official member directories. A member listing is often a managed record of customers displayed on the positioning, however the flawed validation makes it attainable to redirect directory-related performance towards attacker-controlled content material.

The second flaw permits attackers to bypass restrictions on protected metadata fields. Metadata in WordPress usually accommodates inside data that plugins anticipate regular customers can’t manipulate straight.

The third flaw is because of a failure to correctly validate subject names used when producing person card information. Due to this lacking validation, attackers can request inside fields that ought to by no means be uncovered publicly, together with the password reset hyperlink.

Influence Of The Vulnerability

Password reset hyperlinks are successfully short-term login credentials. They’re imagined to be non-public and despatched solely to the account proprietor throughout password restoration.

As a result of the plugin fails to correctly validate which fields may be requested, attackers can pressure the plugin to reveal these reset hyperlinks which an attacker can use to reset any account’s password, together with for an administrator account which controls web site entry.

In response to Wordfence:

“This makes it attainable for authenticated attackers with Contributor-level entry and above to leak stay password reset URLs for all customers within the member listing response, together with directors.”

Patch Accessible

The vulnerability impacts all variations of Final Member as much as and together with model 2.11.4. A patch is obtainable in model 2.12.0, which provides stricter validation round member listing dealing with and allowed person information fields. Customers of the Final Member plugin are really useful to replace to model 2.12.0 or newer instantly.

Featured Picture by Shutterstock/Luis Molinero