Two new safety flaws within the in style Easy Membership plugin for WordPress, affecting variations 4.3.4 and beneath, have been recognized, resulting in potential privilege escalation points.
With over 50,000 lively installations, the plugin developed by smp7 and wp.insider is extensively used for customized membership administration on WordPress websites.
The failings recognized by Patchstack safety researchers embrace an Unauthenticated Membership Position Privilege Escalation vulnerability (CVE-2023-41957) and an Authenticated Account Takeover vulnerability (CVE-2023-41956).
Within the former, unauthenticated customers may register accounts with arbitrary membership ranges, whereas the latter allowed authenticated customers to take over any member account by an insecure password reset course of.
Learn extra on WordPress plugin vulnerabilities: Important Addons Plugin Flaw Exposes One Million WordPress Web sites
The Unauthenticated Membership Position Privilege Escalation vulnerability primarily hinges on a operate that handles the registration course of.
“The operate handles the method of password reset by a reset password hyperlink characteristic. Within the plugin context, the consumer can allow password reset by a hyperlink that might be despatched to the consumer’s e-mail,” Patchstack wrote in an advisory revealed earlier right now.
A vital situation exists when the operate could be manipulated by some GET parameters, enabling customers to register with any membership degree from an arbitrary member account.
Within the Authenticated Account Takeover vulnerability, a separate operate handles password reset by a hyperlink characteristic. By fastidiously crafting the parameters, an attacker may exploit this vulnerability to take management of a consumer’s account.
Based on the Patchstack advisory, the plugin vendor responded swiftly after Patchstack reported the vulnerability on August 29.
“For the primary vulnerability, the seller determined to verify if the SQL question to replace the member data by way of the code parameter is legitimate. This code worth may solely be obtained by customers that already accomplished their fee or course of on a paid membership degree,” Patchstack wrote.
“For the second vulnerability, the seller determined to match the login parameter used for the reset password key verify and the precise consumer object on the $user_data variable.”
The seller launched model 4.3.5 on August 30 2023 to patch these points, implementing checks to validate user-controlled parameters in customized registration and password reset processes.
