WordPress Ultimate Member 1.3.28 Cross Site Scripting Vulnerability
- Date Published:2015-12-23
- Last Updated:2015-12-23
- Version Affected: WordPress Ultimate Member 1.3.28
High-Tech Bridge Security Research Lab discovered vulnerability in Ultimate Member WordPress plugin, intended for managing users’ profiles. The vulnerability can be used against website administrators to perform Cross-Site Scripting (XSS) attacks.
Anonymous attacker might be able to steal administrator's cookies, credentials and browser history, modify web page content to perform phishing attacks, or even to perform drive-by-download attacks by injecting malware into website pages when the website administrator follows a specially crafted link with XSS exploit.
The vulnerability is caused by absence of filtration of input-data passed via the "_refer" HTTP GET parameter to "wp-admin/users.php" script, when "update" is set to value "confirm_delete". A remote unauthenticated attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
A simple exploit below will display JS popup with "ImmuniWeb" word:
1. Modify the source code, strict filtering parameters similar "<" and ">" and all special characters that May cause the Cross Site Scripting attack;
2. Update to Ultimate Member 1.3.29
3. If you have purchased NGAF appliance, update WAF signature database to version 20151218 or above.