Login

Tag Archives: Ultimate Member

Plugin Security Scorecard Grade for Ultimate Member

Checked on November 23, 2024
C+

See issues causing the plugin to get less than A+ grade

12 Jul 2019

Not Really a WordPress Plugin Vulnerability, Week of July 12

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Path Traversal in Ad Inserter

One of the changelog entries for version 2.4.20 of Ad Inserter is “Fix for path traversal vulnerability – credit to Wilfried Bécard of Synacktiv (https://synacktiv.com)”. The relevant change looks to have replacing the following lines: [Read more]

9 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF) in Ultimate Member

The changelog for the latest version of Ultimate Member is “Fixed UM Roles create/edit security issue”. Looking at the changes made in that version we found that refers to fixing a cross-site request forgery (CSRF) vulnerability when crediting or editing roles through its User Roles admin page. So previously an attacker could cause a logged in Administrator to change those settings for those roles without intending it if the attacker could get them to access a page they control.

[Read more]

3 Jun 2019

Privilege Escalation Vulnerability Only Partially Fixed in WordPress Plugin Ultimate Member Due to Use of is_admin()

We can’t emphasize enough that you should not use the plugin Ultimate Member as the plugin has been riddled with security vulnerabilities including one that was widely exploited last year and was slow to be fixed, due to what appears to be a lack of interest by the developer in getting it secure. That lack of interest is particularly problematic due to the fact that the plugin has 100,000+ active installations according to wordpress.org. The latest vulnerability found in it is yet another reminder of that, as the developer attempted to fix a serious vulnerability, but used the wrong code, so there is still a vulnerability, though less easily exploited. The continuation of the vulnerability also involves a security failure in WordPress that was warned about back in February of 2011, but still hasn’t been resolved despite being continually being implicated in widely exploited vulnerabilities.

The situation is also is yet another reminder why actually checking out and testing out claimed fixed vulnerabilities is important, so you don’t incorrectly believe that an unfixed vulnerability that is more widely known about, since it has been noted to have been fixed, has been fixed. That is something we do, but clearly other data sources on WordPress plugin vulnerabilities competing with our service don’t do. [Read more]

6 May 2019

What Plugin Vulnerabilities Was Up to in April

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service. Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during April (and what you have been missing out on if you haven’t signed up yet).

Paid customers of the service can suggest and vote on plugins to have a security review done by us (you can also order a review separately). This month we released details of our review of Shareaholic. [Read more]

8 Feb 2019

Not Really a WordPress Plugin Vulnerability, Week of February 8

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross Site Request Forgery / Shell Upload Vulnerability in Ultimate Member

Recently many of the claimed vulnerabilities we have mentioned in these posts have come from someone with the handle “KingSkrupellos” that the website Packet Storm continues to allow to post false reports. They were at it again with a claimed cross site request forgery / shell upload vulnerability in Ultimate Member. In this case they claim that there is vulnerability in the latest version of the plugin involving files that don’t exist in it. [Read more]

6 Dec 2018

Here Is Yet Another Vulnerability Spotted by Our Plugin Security Checker in the WordPress Plugin Ultimate Member

The WordPress plugin Ultimate Member was the cause of too many websites being hacked back in August, we say too many because the developer didn’t promptly fix a vulnerability that was being exploited for some inexplicable reason. It probably then isn’t surprising that as we improve our Plugin Security Checker, an automated tool that you can use to check if plugins you use have possible security issues that should be further looked into, that Ultimate Member keeps getting flagged for additional possible security issues.

So far it has already flagged a reflected cross-site scripting (XSS) vulnerability, another reflected cross-site scripting (XSS) vulnerability, and a cross-site request forgery (CSRF)/remote code execution vulnerability. [Read more]

20 Nov 2018

Our Plugin Security Checker Already Detected a Remote Code Execution (RCE) Vulnerability in a WordPress Plugin with 100,000+ Installs

Last Friday after we discovered a remote code execution (RCE) vulnerability in a WordPress plugin through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we noted that we had updated our Plugin Security Checker to have the same check:

Now that we have actually run across a plugin that got flagged by the check that spotted this we have now added it to our Plugin Security Checker, so when you run plugins through that they will now get check for this as well (though hopefully there are not other plugins that are this insecure). [Read more]

3 Oct 2018

New Check in Our Plugin Security Checker Already Spotted Vulnerability in WordPress Plugin with 100,000+ Active Installs

About a month ago we mentioned that moderators of the WordPress Support Forum’s deletion of discussions of security issues can be unhelpful, in the context of us seeing mention of a vulnerability in a thread that was quickly deleted, realizing there was another related vulnerability, and then adding a check for that other vulnerability to our Plugin Security Checker, which provides a limited but expanding capability to check for possible security issues in plugins. Just days later that new check flagged a possible issue in a plugin with 100,000+ active installs that was being run through it and a quick check confirmed that it was an exploitable vulnerability (though far from a serious issue for the average website). That the vulnerability was found in, Ultimate Member, wasn’t all that surprising considering that Plugin Security Checker had previously identified another vulnerability of the same type in the plugin a couple of months ago.

Here are the details of the possible reflected cross-site scripting (XSS) vulnerability that was identified, which are available to users of our service through the Plugin Security Checker’s Developer Mode: [Read more]

24 Aug 2018

Sucuri’s Post With FUD Claim of Massive Infection Really Shows That They Are Failing Their Customers

It has taken us a long time to fully grasp the level of dishonesty in the security industry, since it is so rampant that is hard to believe how bad things truly are, even seeing examples every day. That there is almost any dishonesty should be surprising since trust is so important when it comes to security, especially when you consider the almost total lack of evidence that security companies put forward to back incredible claims they make about their products and services. As an example of how bad things are take the company Sucuri, which claims that trust is one of four of their claimed values:

The security space is filled with snake-oil and unnecessary FUD (fear, uncertainty, and doubt). We are committed to building services in the best interest of website owners. [Read more]

10 Aug 2018

Our Plugin Security Checker Identified Another Reflected XSS Vulnerability in WordPress Plugin with 100,000+ Active Installs

In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny recently the plugin Ultimate Member, which has 100,000+ active installs according to wordpress.org, was run through the tool and it identified a possible reflected cross-site scripting (XSS) vulnerability in the plugin.

Looking at the details of the issue identified, which are available to users of our service through the tool’s Developer Mode, it certainly looked like there was that type of vulnerability as user input was being output without being escaped: [Read more]