CVE-2020-36155

high-risk
Published 2021-01-04

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wp_capabilities user meta that defines a user's role. During the registration process, submitted registration details were passed to the update_profile function, and any metadata was accepted, e.g., wp_capabilities[administrator] for Administrator access.

Do I need to act?

!
62.0% chance of exploitation in next 30 days
EPSS score — higher than 38% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 427bb6da1c2f984b0a0be7013e490496023bdcb6
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Ultimatemember

References (6)

Release Notes https://wordpress.org/plugins/ultimate-member/#developers
Exploit https://wpscan.com/vulnerability/cf13b0f8-5815-4d27-a276-5eff8985fc0b
Exploit https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabili...
Release Notes https://wordpress.org/plugins/ultimate-member/#developers
Exploit https://wpscan.com/vulnerability/cf13b0f8-5815-4d27-a276-5eff8985fc0b
Exploit https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabili...
57
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal