Plataforma
wordpress
Componente
ultimate-membership-pro
Corrigido em
8.6.1
CVE-2020-36832 represents a critical Authentication Bypass vulnerability discovered in the Ultimate Membership Pro plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access to user accounts, potentially including administrator privileges. The vulnerability impacts versions 7.3 through 8.6.1, and a fix is available in version 8.6.1.
The impact of this vulnerability is severe. An attacker can bypass authentication entirely and log in as any user on the WordPress site. This includes the site administrator, granting them full control over the website's content, configuration, and user accounts. Attackers could modify data, install malicious plugins, deface the site, or steal sensitive information. The ability to impersonate the administrator poses a significant risk to the integrity and confidentiality of the entire WordPress environment. This vulnerability shares similarities with other authentication bypass flaws where improper validation allows unauthorized access.
CVE-2020-36832 was publicly disclosed on October 16, 2024. While no public proof-of-concept (PoC) code has been widely released, the ease of exploitation makes it a high-priority concern. The vulnerability is not currently listed on CISA KEV, but its critical severity warrants close monitoring. Active exploitation is possible given the lack of a public PoC and the vulnerability's simplicity.
Websites utilizing the Ultimate Membership Pro plugin, particularly those with default administrator credentials or weak password policies, are at significant risk. Shared WordPress hosting environments are also vulnerable, as a compromise of one site could potentially lead to the compromise of others on the same server.
• wordpress / composer / npm:
grep -r 'wp_authenticate_key' /var/www/html/wp-content/plugins/ultimate-membership-pro/• wordpress / composer / npm:
wp plugin list --status=active | grep ultimate-membership-pro• wordpress / composer / npm:
wp plugin update ultimate-membership-prodisclosure
Status do Exploit
EPSS
0.64% (percentil 70%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2020-36832 is to immediately upgrade the Ultimate Membership Pro plugin to version 8.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to sensitive areas of the site and implementing stricter password policies. While not a complete solution, a Web Application Firewall (WAF) configured to block login attempts with suspicious usernames or user IDs could provide a temporary layer of protection. Review WordPress user accounts for any signs of unauthorized access.
Actualice el plugin Ultimate Membership Pro a la versión 8.6.1 o superior. Esta actualización corrige la vulnerabilidad de omisión de autenticación que permite a atacantes no autenticados iniciar sesión como cualquier usuario, incluido el administrador del sitio.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-36832 is a critical vulnerability allowing unauthenticated attackers to log in as any user, including the administrator, in Ultimate Membership Pro versions 7.3 to 8.6.1.
If you are using Ultimate Membership Pro versions 7.3 through 8.6.1, you are vulnerable. Upgrade to 8.6.1 or later to mitigate the risk.
Upgrade the Ultimate Membership Pro plugin to version 8.6.1 or later. If immediate upgrade is not possible, implement temporary restrictions and WAF rules.
While no public exploit is known, the vulnerability's simplicity suggests active exploitation is possible and should be monitored.
Refer to the official Ultimate Membership Pro website and WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.