Two new security flaws in the popular Simple Membership plugin for WordPress, affecting versions 4.3.4 and below, have been identified, leading to potential privilege escalation issues.
With over 50,000 active installations, the plugin developed by smp7 and wp.insider is widely used for custom membership management on WordPress sites.
The flaws identified by Patchstack security researchers include an Unauthenticated Membership Role Privilege Escalation vulnerability (CVE-2023-41957) and an Authenticated Account Takeover vulnerability (CVE-2023-41956).
In the former, unauthenticated users could register accounts with arbitrary membership levels, while the latter allowed authenticated users to take over any member account through an insecure password reset process.
The Unauthenticated Membership Role Privilege Escalation vulnerability primarily hinges on a function that handles the registration process.
“The function handles the process of password reset through a reset password link feature. In the plugin context, the user can enable password reset through a link that will be sent to the user’s email,” Patchstack wrote in an advisory published earlier today.
A critical condition exists when the function can be manipulated through some GET parameters, enabling users to register with any membership level from an arbitrary member account.
In the Authenticated Account Takeover vulnerability, a separate function handles password reset through a link feature. By carefully crafting the parameters, an attacker could exploit this vulnerability to take control of a user’s account.
According to the Patchstack advisory, the plugin vendor responded swiftly after Patchstack reported the vulnerability on August 29.
“For the first vulnerability, the vendor decided to check if the SQL query to update the member information via the code parameter is valid. This code value could only be obtained by users that already completed their payment or process on a paid membership level,” Patchstack wrote.
“For the second vulnerability, the vendor decided to match the login parameter used for the reset password key check and the actual user object on the $user_data variable.”
The vendor released version 4.3.5 on August 30 2023 to patch these issues, implementing checks to validate user-controlled parameters in custom registration and password reset processes.