// For flags

CVE-2019-10270

Ultimate Member <= 2.0.39 - Privilege Escalation

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.

Se detectó un problema de restablecimiento de contraseña arbitrario en el plugin Member versión 2.39 de Ultimate para WordPress. Es posible restablecer la contraseña de otro usuario (debido a la falta de comprobación y correlación entre la clave de restablecimiento de la contraseña enviada por correo y el parámetro user_id). Solo se necesita conocer el user_id, que está disponible públicamente. Solo hay que interceptar la solicitud de modificación de contraseña y modificar el ID de usuario. Es posible modificar las contraseñas de cualquier usuario o administrador de WordPress Ultimate Members. Esto podría conllevar a comprometer la cuenta y la escalada de privilegios.

An arbitrary password reset issue was discovered in the Ultimate Member plugin 2.0.39 for WordPress. It is possible (due to lack of verification and correlation between the reset password key sent by mail and the user_id parameter) to reset the password of another user. One only needs to know the user_id, which is publicly available. One just has to intercept the password modification request and modify user_id. It is possible to modify the passwords for any users or admin WordPress Ultimate Members. This could lead to account compromise and privilege escalation.

*Credits: Clément CRUCHET
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-03-29 CVE Reserved
  • 2019-06-15 CVE Published
  • 2023-05-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-269: Improper Privilege Management
  • CWE-640: Weak Password Recovery Mechanism for Forgotten Password
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://cxsecurity.com/issue/WLB-2019060101 2024-08-04
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ultimatemember
Search vendor "Ultimatemember"
 Ultimate Member
Search vendor "Ultimatemember" for product "Ultimate Member"
 < 2.0.40
Search vendor "Ultimatemember" for product "Ultimate Member" and version " < 2.0.40"
wordpress
Affected