#### [CVE-2019-10270] Ultimate Member 2.39 Arbitrary password reset #### Description #### An arbitrary password reset issue (Incorrect Access Control) has been discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password link key sent by mail and the user_id parameter) to reset the password of another user. We only needs to know the user_id, which is publicly available, moreover the user_id parameter is a numerical generated incremental value. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation. To exploit vulnerability an simple user on the website using ultimate member has to asking for reset password and modify parameter in order to reset the password of a choosen user. #### Timeline (dd/mm/yyyy) #### ++ 12/03/2019 : Initial discovery ++ 13/03/2019 : First contact attempt (email) ++ 13/03/2019 : Response from editor ++ 26/03/2019 : Technical details sent to the editor ++ 26/03/2019 : Reply: fix planned for major release 2.40 in late September ++ 15/06/2019 : Release of the advisory #### Fixes Upgrade to Ultimate Member 2.40 #### #### Affected versions #### ++ Versions up to 2.39 #### Credits #### ++ Clément CRUCHET <lutzenfried@proton.com> #### Reference #### ++ https://ultimatemember.com/