WordPress Simple Membership Plugin Vulnerabilities

Researchers have identified two new vulnerabilities in the popular Simple Membership plugin for WordPress, affecting versions 4.3.4 and below, have been identified, leading to potential privilege escalation issues. 

With over 50K active installations, the plugin developed by smp7 and wp.insider is widely used for custom membership management on WordPress sites.

The flaws identified by Patchstack security researchers include an Unauthenticated Membership Role Privilege Escalation vulnerability  tracked as CVE-2023-41957 and an Authenticated Account Takeover vulnerability tracked as CVE-2023-41956.

The first vulnerability allows unauthenticated users could register accounts with arbitrary membership levels, while the latter allowed authenticated users to take over any member account through an insecure password reset process. 

The Unauthenticated Membership Role Privilege Escalation vulnerability resides on a function that handles the registration process.

A critical condition exists when the function can be manipulated through some GET parameters, enabling users to register with any membership level from an arbitrary member account.

In the Authenticated Account Takeover vulnerability, a separate function handles password reset through a link feature. By carefully crafting the parameters, an attacker could exploit this vulnerability to take control of a user’s account.

According to the advisory, the plugin vendor responded swiftly after Patchstack reported the vulnerability on August 29. 

The vendor released version 4.3.5 on August 30 2023 to patch these issues, implementing checks to validate user-controlled parameters in custom registration and password reset processes.