István Márton
February 23, 2024

$2,063 Bounty Awarded for Unauthenticated SQL Injection Vulnerability Patched in Ultimate Member WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024 when you opt to have Wordfence handle responsible disclosure!

On January 30th, 2024, shortly after the launch of our second Bug Bounty Extravaganza, we received a submission for an unauthenticated SQL Injection vulnerability in Ultimate Member, a WordPress plugin with more than 200,000+ active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to Christiaan Swiers who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,063.00 for this discovery during our Bug Bounty Program Extravaganza.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 30, 2024. Sites using the free version of Wordfence will receive the same protection on February 29, 2024.

We contacted the Ultimate Member Team on January 30, 2024, and received a response on the same day. After providing full disclosure details, the developer released a patch on February 19, 2024. We would like to commend the Ultimate Member Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Ultimate Member, which is version 2.8.3, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin 2.1.3 – 2.8.2 – Unauthenticated SQL Injection
Affected Plugin: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Plugin Slug: ultimate-member
Affected Versions: 2.1.3 – 2.8.2
CVE ID: CVE-2024-1071
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Christiaan Swiers
Fully Patched Version: 2.8.3
Bounty Award: $2,063.00

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Technical Analysis

Ultimate Member is a WordPress membership plugin, which includes many premium features and functions. One such feature is the member directories, which lists the users on the website.

Unfortunately, insecure implementation of the plugin’s users query functionality allows for SQL injection. Examining the code reveals that the plugin uses the ajax_get_members() function in the Member_Directory_Meta class to query WordPress users to list them, where the order can be specified with the ‘sorting’ parameter.

$order = 'ASC';
$sortby = ! empty( $_POST['sorting'] ) ? sanitize_text_field( $_POST['sorting'] ) : $directory_data['sortby'];

Although the sanitize_text_field() function is used, it does not protect against SQL injection.

$this->sql_order = " ORDER BY u.{$sortby} {$order} ";
$user_ids = $wpdb->get_col(
	"SELECT SQL_CALC_FOUND_ROWS DISTINCT u.ID
	{$this->select}
	FROM {$wpdb->users} AS u
	{$sql_join}
	WHERE 1=1 {$sql_where}
	{$this->having}
	{$this->sql_order}
	{$this->sql_limit}"
);

The ORDER BY statement is added to the query without the WordPress wpdb prepare() function. The prepare() function would parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks.

Since Union-Based SQL injection is not possible due to the structure of the query, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.

Important Note

We would like to draw attention to the fact that the vulnerability only critically affects users who have checked the “Enable custom table for usermeta” option in the plugin settings, because the plugin only loads the Member_Directory_Meta class in this configuration.

$search_in_table = $this->options()->get( 'member_directory_own_table' );

if ( ! empty( $search_in_table ) ) {
	$this->classes['member_directory'] = new um\core\Member_Directory_Meta();
}

This means that not all users running the plugin would be inherently vulnerable, but nonetheless we recommend updating immediately as attackers are clever and could chain vulnerabilities in plugins to achieve a complete site takeover.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious SQL query and blocks the request.

Disclosure Timeline

January 30, 2024 – We receive the submission of the SQL Injection vulnerability in Ultimate Member via the Wordfence Bug Bounty Program.
January 30, 2024 – We validate the report and confirm the proof-of-concept exploit.
January 30, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
January 30, 2024 – The vendor confirms the inbox for handling the discussion.
January 30, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
January 30, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
February 19, 2024 – The fully patched version of the plugin, 2.8.3, is released.
February 29, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed a SQL Injection vulnerability within the Ultimate Member plugin affecting versions 2.1.3 to 2.8.2. This vulnerability allows unauthenticated threat actors to inject malicious SQL queries to steal sensitive information from the database. The vulnerability has been fully addressed in version 2.8.3 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Ultimate Member.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of January 30, 2024. Users using the free version of Wordfence will receive the same protection on February 29, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.