Ultimate Member 2.39 Arbitrary password reset

2019.06.16
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-640


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

#### [CVE-2019-10270] Ultimate Member 2.39 Arbitrary password reset #### Description #### An arbitrary password reset issue (Incorrect Access Control) has been discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password link key sent by mail and the user_id parameter) to reset the password of another user. We only needs to know the user_id, which is publicly available, moreover the user_id parameter is a numerical generated incremental value. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation. To exploit vulnerability an simple user on the website using ultimate member has to asking for reset password and modify parameter in order to reset the password of a choosen user. #### Timeline (dd/mm/yyyy) #### ++ 12/03/2019 : Initial discovery ++ 13/03/2019 : First contact attempt (email) ++ 13/03/2019 : Response from editor ++ 26/03/2019 : Technical details sent to the editor ++ 26/03/2019 : Reply: fix planned for major release 2.40 in late September ++ 15/06/2019 : Release of the advisory #### Fixes Upgrade to Ultimate Member 2.40 #### #### Affected versions #### ++ Versions up to 2.39 #### Credits #### ++ Clément CRUCHET <lutzenfried@proton.com> #### Reference #### ++ https://ultimatemember.com/

References:

https://ultimatemember.com/


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top