Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2022-3383 && CVE-2022-3384

Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 - Authenticated (Admin+) Remote Code Execution via Multi-Select

The sink function is call_user_func() in several PHP files.

I found several vulnerabilities, some allows attracker to execute any command he want remotely, however some only allow attacker to execute specific PHP functions, just like phpinfo(). The detail will be showed below.

CVE-2022-3383

RCE vulnerabilities are caused when two parameters of call_user_func() are all controlled by attacker in class-fields.php and class-form.php

These callback functions are used to help users defined their own functions. However, the parameters are not filtered.

There are several sink functions :

  • get_option_value_from_callback(), get_options_from_callback(), edit_field() in class-fields.php
  • ajax_select_options() in class-form.php

Take get_option_value_from_callback() as an example:

image

$data['custom_dropdown_options_source'] and $data['parent_dropdown_relationship'] are not filtered in this function.

This function is called by um_option_match_callback_view_field() in um-filters-fields.php

This function does not filter $data['custom_dropdown_options_source'] too

image

This function is called when processing select/multiselect field

Fileds can be added here

image

The core part is Choices Callback, which corresponds to $data['custom_dropdown_options_source']

Then I capture the packet and add parameter _parent_dropdown_relationship=ls

image

Then I reload this page

image

And the result can be found in every users' profile

image

Other functions may be called in some other methods. I have not tested them. Thus, I just show how to use get_option_value_from_callback() to RCE here.

CVE-2022-3384

Some call_user_func() in ultimate member only has one parameter, just like populate_dropdown_options() in class-admin-builder.php

image

This function can only execute non-parameter PHP function, just like phpinfo()

image

And if attecker not add _parent_dropdown_relationship parameter in get_option_value_from_callback() he can only execute non-parameter PHP functions

I think some filters can be added to filter parameter to avoid the execution of unexpected functions