CVE-2020-36156

moderate-risk
Published 2021-01-04

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Authenticated Privilege Escalation via Profile Update. Any user with wp-admin access to the profile.php page could supply the parameter um-role with a value set to any role (e.g., Administrator) during a profile update, and effectively escalate their privileges.

Do I need to act?

-
0.93% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 427bb6da1c2f984b0a0be7013e490496023bdcb6
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Ultimatemember

References (6)

Release Notes https://wordpress.org/plugins/ultimate-member/#developers
Exploit https://wpscan.com/vulnerability/dd4c4ece-7206-4788-8747-f0c0f3ab0a53
Exploit https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabili...
Release Notes https://wordpress.org/plugins/ultimate-member/#developers
Exploit https://wpscan.com/vulnerability/dd4c4ece-7206-4788-8747-f0c0f3ab0a53
Exploit https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabili...
41
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal