Hello readers, welcome to this informative blog post. Today, we’ll explore a critical security vulnerability that has recently come to light in the Ultimate Member plugin for WordPress. This flaw, identified as CVE-2024-1071, poses a significant risk to over 200,000 active installations of the plugin. So, let’s roll up our sleeves and understand the intricacies of this issue.
Overview
The Ultimate Member plugin, widely embraced for elevating user engagement and community-building features on WordPress websites, has unfortunately been discovered with vulnerabilities. Specifically, versions 2.1.3 to 2.8.2 of the Ultimate Member plugin are affected. The heart of the problem lies in an unauthenticated SQL Injection flaw associated with the ‘sorting’ parameter. But what does that mean?
When attackers exploit this weakness, they can inject malicious SQL queries into affected websites. The vulnerability arises due to insufficient input sanitization and inadequate query preparation. In simpler terms, the plugin doesn’t properly handle user input related to sorting, leaving a door wide open for attackers to wreak havoc.
The severity of the situation is underscored by a CVSS score of 9.8, classifying it as critical. This score indicates that attackers could potentially extract sensitive data from compromised databases, posing a severe threat to website security. Imagine the impact on website security when adversaries gain unauthorized access to user information, login credentials, or other critical data.
Adding to the urgency is the active exploitation of this vulnerability by a pro-Palestinian group known as "Handala." Employing sophisticated techniques, including Time-Based blind SQL Injection, they capitalize on this flaw swiftly.
Technical Details of CVE-2024-1071
The vulnerability within the Ultimate Member plugin revolves around the 'sorting' parameter, a pivotal element that oversees user interactions within the plugin. Specifically linked to the /wp-admin/admin-ajax.php endpoint, responsible for managing sorting requests and displaying data, the 'sorting' parameter plays a crucial role during tasks such as viewing user profiles or handling community content.
At the core of the problem lies in how the plugin manages user input associated with the 'sorting' parameter. Regrettably, the plugin lacks adequate validation and sanitization measures for this input, leading to a vulnerability. Essentially, any input, regardless of malicious intent, can navigate through the system undetected. This gap in the validation process is particularly concerning as the plugin constructs SQL queries based on user input and using that SQL statement, interacts with the backend database management system. It's noteworthy to mention that this attack doesn't require any authentication to be executed. This means that potential attackers can exploit the vulnerability without needing any prior authentication, raising the urgency for immediate action to address this security flaw within the Ultimate Member plugin.
Importantly, users who have opted to enable the “Enable custom table for usermeta” setting within the plugin configuration are at heightened risk.
Identifying and Exploiting the Vulnerability
Prepare for a hands-on demonstration where we'll be setting up a lab to showcase the vulnerability within the Ultimate Member plugin. This practical session aims to provide a clear understanding of the exploit, illustrating the potential risks and consequences associated with this identified security flaw.
To get started, ensure you have Docker installed on your system. Below is the Docker Compose configuration that you can use to set up the lab environment:
Copy this code into a docker-compose.yml file. This docker-compose.yml file specifies MySQL version 8.0 and uses the latest version of the WordPress image. Now open a terminal, navigate to the directory containing the file, and run the command: docker-compose up --build . This will pull the required Docker images and set up a local WordPress instance with the identified vulnerability. After the containers are running, you can access the local WordPress site by opening http://localhost:8080 in your web browser.
Upon accessing the url, set up the environment with all necessary details and access the admin dashboard. To proceed with the demonstration, install the vulnerable version of the Ultimate Member plugin by downloading it here. Once downloaded, navigate to the WordPress admin dashboard, go to the "Plugins" section, select "Add New," choose "Upload Plugin," upload the downloaded file, and activate the plugin. With the vulnerable version in place, we're ready to explore.
Additionally, activate the plugin by navigating to http://localhost:8080/wp-admin/plugins.php. After activation, check the “enable the custom table for usermeta” option by visiting http://localhost8080/wp-admin/admin.php?page=um_options&tab=misc. These settings are crucial for our demonstration, allowing us to simulate and understand the intricacies of the identified security flaw in the Ultimate Member plugin.
When conducting a penetration test on a real WordPress website, the initial step involves identifying the plugins running on the site, along with their version numbers. To facilitate this process, WPScan can be a valuable tool. You can find WPScan on GitHub: https://github.com/wpscanteam/wpscan. This tool is designed to efficiently enumerate and gather information about plugins, themes, and the overall WordPress environment.
The WPscan identifies the plugin running along with its version. Besides that, It also said that it is vulnerable to CVE - 2024-1071. So now we proceed to exploit the identified issue within this plugin. We'll be utilizing a proof of concept (POC) created by the Github user "gbrsh." Begin by downloading the POC script from the following link: https://github.com/gbrsh/CVE-2024-1071/blob/main/exploit.py. Once downloaded, run the script by specifying the target:
This confirms the vulnerability of the site with version 2.8.2. With this information in hand, proceed to use sqlmap to exploit the vulnerability. Run the following sqlmap command:
$ sqlmap -u http://X.X.X.180:8080/wp-admin/admin-ajax.php --method POST --data "action=um_get_members&nonce=bd270be243&directory_id=b9238&sorting=user_login" --dbms mysql --technique=T -p sorting
This command leverages sqlmap to interact with the vulnerable site, utilizing the identified parameters to exploit the SQL injection vulnerability and retrieve valuable information from the backend database.
The sqlmap scan results indicate that the POST parameter 'sorting' is indeed vulnerable to time-based blind SQL injection. Here's a summary of the findings:
- The injection point on POST parameter 'sorting' has been identified as 'MySQL >= 5.0.12 AND time-based blind (query SLEEP).'
- SQLmap successfully confirmed the vulnerability with a time-based blind injection test.
- The backend database management system (DBMS) is identified as MySQL >= 5.0.12.
Mitigation
Here are the steps you can take to safeguard your WordPress site:
- Update the Plugin Promptly: The plugin developers have swiftly addressed the issue by releasing version 2.8.3 on February 19. Strongly urge your users to update their Ultimate Member plugin to the latest version without delay. Timely updates are crucial, especially given attackers’ effectiveness in exploiting vulnerabilities within a short timeframe.
- Disable the “Enable Custom Table for Usermeta” Option: If your users have enabled this option within the plugin settings, they are particularly vulnerable. Disabling it can mitigate the risk associated with the unauthenticated SQL Injection flaw.
References
- https://www.linkedin.com/pulse/cve-2024-1071-critical-vulnerability-ultimate-member-wordpress-8xfsc/
- https://github.com/gbrsh/CVE-2024-1071/tree/main
- https://bnnbreaking.com/tech/critical-sql-injection-flaw-in-wordpress-plugin-endangers-200000-sites-cve-2024-1071-uncovered
- https://github.com/Trackflaw/CVE-2024-1071-Docker/tree/main
- https://docs.indusface.com/vulnerabilities-2024/cve-2024-1071-critical-vulnerability-in-ultimate-member-word-press-plugin