Here Is Yet Another Vulnerability Spotted by Our Plugin Security Checker in the WordPress Plugin Ultimate Member
The WordPress plugin Ultimate Member was the cause of too many websites being hacked back in August, we say too many because the developer didn’t promptly fix a vulnerability that was being exploited for some inexplicable reason. It probably then isn’t surprising that as we improve our Plugin Security Checker, an automated tool that you can use to check if plugins you use have possible security issues that should be further looked into, that Ultimate Member keeps getting flagged for additional possible security issues.
So far it has already flagged a reflected cross-site scripting (XSS) vulnerability, another reflected cross-site scripting (XSS) vulnerability, and a cross-site request forgery (CSRF)/remote code execution vulnerability.
Last Monday we mentioned that we had introduced a new check to that tool that identifies the possibility of some open redirect vulnerabilities while discussing an instance of authenticated variant of that in a plugin, which like Ultimate Member has 100,000+ installations according to wordpress.org. An open redirect vulnerability allows a request to one page to be redirected to an arbitrary URL, which is something spammers have been known to abuse. As part of our work to continue to improved our tool we take a look at instances of plugins being flagged by new checks to see make sure nothing is going wrong with those checks. That led us to confirming yet another vulnerability in Ultimate Member, an authenticated open redirect vulnerability, which isn’t likely to be abused, but exists in part due to a basic security failure with the plugin, which was also part of the cause of the last vulnerability we mentioned that was in the plugin. The vulnerability has gone unnoticed for nearly four years, as it has been in the plugin since its first version.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Technical Details
The plugin registers the function logout_page() to run when redirects should occur:
22 | add_action('template_redirect', array(&$this, 'logout_page'), 10000 ); |
When that function runs, if you are requesting the plugin’s frontend logout page, normally /logout/, and are logged in, it will logged you out and redirect you to address specified by the GET or POST input “redirect_to” using the function wp_redirect():
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | function logout_page() { $language_code = ''; $current_page_ID = get_the_ID(); $logout_page_id = UM()->config()->permalinks['logout']; $trid = 0; if ( is_home() /*|| is_front_page()*/ ) { return; } if ( UM()->external_integrations()->is_wpml_active() ) { global $sitepress; $default_lang = $sitepress->get_default_language(); $language_code = $sitepress->get_current_language(); if ( function_exists( 'icl_object_id' ) ) { $trid = icl_object_id( $current_page_ID, 'page', true, $default_lang ); } else { $trid = wpml_object_id_filter( $current_page_ID, 'page', true, $default_lang ); } if ( $language_code == $default_lang ) { $language_code = ''; } } if ( um_is_core_page( 'logout' ) || ( $trid > 0 && $trid == $logout_page_id ) ) { if ( is_user_logged_in() ) { if ( isset( $_REQUEST['redirect_to'] ) && $_REQUEST['redirect_to'] !== '' ) { wp_logout(); session_unset(); exit( wp_redirect( $_REQUEST['redirect_to'] ) ); |
If the redirected address only be to an address on the same website, so what should be used there is wp_safe_redirect(), which only allows redirects to other addresses on the same website.
What also seems to be missing there is protection against cross-site request forgery (CSRF), as if you do a logout through WordPress it requires a valid nonce to do that, which is used to prevent CSRF.
Proof of Concept
The following proof of concept will redirect you to our homepage, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/logout/?redirect_to=https://www.pluginvulnerabilities.com