WordPress Ultimate Member 1.3.28 Cross Site Scripting Vulnerability

Summary

    High-Tech Bridge Security Research Lab discovered vulnerability in Ultimate Member WordPress plugin, intended for managing users’ profiles. The vulnerability can be used against website administrators to perform Cross-Site Scripting (XSS) attacks. 

    Anonymous attacker might be able to steal administrator's cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the website administrator follows a specially crafted link with XSS exploit.

    The vulnerability is caused by absence of filtration of input-data passed via the "_refer" HTTP GET parameter to "wp-admin/users.php" script, when "update" is set to value "confirm_delete". A remote unauthenticated attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

    A simple exploit below will display JS popup with "ImmuniWeb" word:

    http://[host]/wp-admin/users.php?update=confirm_delete&_refer='">[removed]alert('ImmuniWeb');[removed]

Solution

    1. Modify the source code, strict filtering parameters similar "<" and ">" and all special characters that May cause the Cross Site Scripting attack;

    2. Update to Ultimate Member 1.3.29

    3. If you have purchased NGAF appliance, update WAF signature database to version 20151218 or above.