CVE-2024-43240 & CVE-2024-43242 in Ultimate Membership Pro Plugin Put 40,000 Websites at Risk
The Ultimate Membership Pro plugin, a premium WordPress plugin widely used for managing membership subscriptions, has been found to contain two critical vulnerabilities, according to a report from Rafie Muhammad, a security researcher at Patchstack. With nearly 40,000 sales, the plugin is a popular choice for websites offering valuable content behind paywalls.
The first vulnerability (CVE-2024-43240, CVSS 9.4), Unauthenticated Privilege Escalation, allows any user—without authentication—to register for any membership level and gain the privileges associated with that level. As Muhammad explained, “users can supply $postData[‘lid’] and it will be constructed to $levelData variable which contains a custom membership level,” thus enabling unauthorized access to higher roles through the $levelData[‘custom_role_level’] variable. While the plugin’s default settings do not allow administrator-level access, attackers could still gain access to high-privilege or custom roles, creating significant security risks for website owners.
The second flaw (CVE-2024-43242, CVSS 9.0), Unauthenticated PHP Object Injection, is even more concerning. This vulnerability occurs when user input is not adequately sanitized before it is passed to the deserialization process. As PHP allows object serialization, an unauthenticated user could inject malicious objects into the application scope, leading to arbitrary code execution. Muhammad’s analysis highlights that this issue affects multiple functions in the plugin, including ihc_ajax_stripe_connect_generate_payment_intent and checkCookies. Exploiting these flaws could allow attackers to compromise entire websites.
The privilege escalation vulnerability could enable attackers to gain unauthorized access to sensitive areas of a website, compromising its security and potentially damaging its reputation. Meanwhile, the object injection flaw allows attackers to manipulate the website’s backend, possibly executing malicious code that could steal data or disrupt operations. Given the plugin’s popularity among premium membership sites, these vulnerabilities have the potential to affect thousands of websites if left unpatched.
If you are using the Ultimate Membership Pro plugin, it is crucial to update to version 16.8 as soon as possible to mitigate the risk of these high-severity vulnerabilities. Website administrators should also review their security settings to ensure that no unauthorized roles have been granted and that input validation measures are in place across their websites.
