CVE-2022-3384 Uncovered: Exploiting Remote Code Execution in Ultimate Member Plugin for WordPress (Up to Version 2.5.)

The Ultimate Member plugin for WordPress is a popular choice for websites with user registration and management functionality. However, it has recently been brought to light that this plugin is vulnerable to Remote Code Execution (RCE) through the 'populate_dropdown_options' function. This function takes user-supplied input and passes it through call_user_func(), allowing authenticated attackers with administrative privileges to execute code on the server. In this long-read post, we will be diving into the details of this vulnerability (CVE-2022-3384), how it works, and its potential consequences.

References

1. NVD (National Vulnerability Database) - CVE-2022-3384
2. Ultimate Member WordPress Plugin - Version History
3. WPScan Vulnerability Database - Ultimate Member RCE Vulnerability

Exploit Details

The vulnerability exists in the 'populate_dropdown_options' function of the Ultimate Member plugin, in versions up to, and including, 2.5.. The function allows for the execution of non-parameter PHP functions like phpinfo(). As it does not pass any user-supplied parameters through the function, it opens the door for potential exploitation by authenticated attackers with administrative privileges.

Let's take a quick look at a code snippet from the 'populate_dropdown_options' function

function populate_dropdown_options( $options, $new_options ) {
    foreach ( $options as $key => $value ) {
        if ( is_callable( $value ) ) {
            $options[ $key ] = call_user_func( $value );
        } elseif ( function_exists( $value ) ) {
            $options[ $key ] = $value();
        }
    }

    return $options;
}

In the code snippet above, the function iterates through user-supplied array elements (options/key-value pairs) and checks if the value is callable or exists as a function. When either of these conditions is met, the option value is replaced with the return value of the function called by either the call_user_func() or the $value(). This execution allows remote code execution by authenticated attackers, potentially leading to more significant harm to the website.

Exploitation Steps

An authenticated attacker, with administrative privileges, would follow these basic steps to exploit the vulnerability:

Mitigation

To mitigate this vulnerability, users of the affected Ultimate Member plugin versions (up to, and including, 2.5.) should immediately update their plugin to the latest available version. It is also essential to keep other WordPress themes, plugins, and the core system up to date, as exploiting remote code execution vulnerabilities can lead to significant damage, data theft, defacement, loss of user trust, and legal ramifications.

Conclusion

The CVE-2022-3384 vulnerability highlights the importance of keeping WordPress, themes and plugins up to date to protect against potential exploits. Remote Code Execution attacks can be detrimental to a website and its users. As we have seen in this article, the Ultimate Member plugin for WordPress up to version 2.5. is subject to RCE exploitation due to the insecure handling of user-supplied input in the 'populate_dropdown_options' function. It is critical to address this vulnerability by updating to the latest plugin version and following best practices for overall site security.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 20:28:00 UTC