CVE-2024-10528
📋 TL;DR
This vulnerability in the Ultimate Member WordPress plugin allows authenticated attackers with subscriber-level access or higher to change other users' profile pictures without authorization. The flaw exists due to missing capability checks in image resizing functions. All WordPress sites using Ultimate Member versions up to 2.8.9 are affected.
💻 Affected Systems
- Ultimate Member WordPress Plugin
📦 What is this software?
Ultimate Member by Ultimatemember
⚠️ Risk & Real-World Impact
Worst Case
Attackers could replace legitimate profile pictures with inappropriate or malicious content, potentially damaging user reputations or enabling social engineering attacks.
Likely Case
Malicious users changing profile pictures of other users to cause confusion, harassment, or minor reputation damage.
If Mitigated
Limited impact if proper user education and monitoring are in place, though unauthorized changes still violate user control.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate Member plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.9.0+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allPrevent access to the vulnerable image resizing functions by blocking the AJAX endpoints
Add to theme's functions.php or custom plugin: add_action('init', function() { if (defined('DOING_AJAX') && DOING_AJAX) { remove_action('wp_ajax_um_resize_image', 'um_resize_image'); remove_action('wp_ajax_nopriv_um_resize_image', 'um_resize_image'); } });
Restrict user capabilities
allTemporarily limit subscriber-level users from accessing profile modification features
Use WordPress role management plugin to remove 'upload_files' capability from subscriber role
🧯 If You Can't Patch
- Disable the Ultimate Member plugin entirely until patched
- Implement strict monitoring of user profile changes and review audit logs daily
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Ultimate Member → Version. If version is 2.8.9 or lower, you are vulnerable.Check Version:
wp plugin list --name='ultimate-member' --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify version shows 2.9.0 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Multiple AJAX requests to /wp-admin/admin-ajax.php with action=um_resize_image from non-admin users
- Unexpected profile picture changes in user database or media library
Network Indicators:
- POST requests to admin-ajax.php containing um_resize_image action parameter
SIEM Query:
source="wordpress.logs" AND (action="um_resize_image" OR uri="/wp-admin/admin-ajax.php") AND user_role!="administrator"🔗 References
- https://github.com/ultimatemember/ultimatemember/blob/ab05bc570a8ba6449cd470791be1c0670eb9c203/includes/core/class-files.php#L332
- https://github.com/ultimatemember/ultimatemember/blob/ab05bc570a8ba6449cd470791be1c0670eb9c203/includes/core/class-files.php#L371
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3186722%40ultimate-member&new=3186722%40ultimate-member&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0a9793b6-2186-46ef-b204-d8f8f154ebf3?source=cve
