While investigating a security advisory about an arbitrary role change/privilege escalation issue in the HM Multiple Roles WordPress plugin, the Jetpack Scan team discovered that the fix was incomplete and left the plugin still vulnerable.

The issue is fully fixed in version 1.3 of the plugin, and we advise any sites using any earlier version of this plugin to update as soon as possible.

Details

Plugin Name: HM Multiple Roles
Plugin URI: https://wordpress.org/plugins/hm-multiple-roles
Author: HM Plugin
Author URI: https://hmplugin.com/
WPScan Entry: https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5

The Vulnerability

The plugin allows a logged in administrator to assign one or more roles when creating a new user or editing an existing user. Versions before 1.1 would allow any user to assign any combination of roles themselves through the user profile page. Version 1.1 introduced a change that disables the checkboxes for selecting roles for non administrator users. 

However, the fix did not check that the request was valid when submitting changes to the profile page. This allowed a low privileged user to escalate their privileges by simply enabling the check boxes for the roles they want and submitting the page.

This can be easily achieved by using the built in developer tools in the web browser as demonstrated in the video below:

https://jetpackme.files.wordpress.com/2021/08/hm-multiple-roles-privesc-vuln.mp4

Affected versions: <= 1.2
Fixed version: 1.3
CVE-ID: CVE-2021-24602
CWE: CWE-284
CWSS: 79.3

Timeline

2021-07-20: Initial notification to vendor
2021-07-27: Tried contacting vendor again through another channel
2021-07-28: Contact with vendor established
2021-08-02: Received and verified suggested fixes from vendor
2021-08-02: Fixed version released on wordpress.org

Conclusion

If you are using the HM Multiple Roles WordPress plugin version 1.2 or earlier on your site, we recommend that you upgrade to the latest version as soon as possible.

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. To stay one step ahead of any new threats, check out Jetpack Scan, which includes security scanning and automated malware removal.

Credits

Original researcher: Harald Eilertsen

Thanks to the rest of the Jetpack Scan team for feedback, help, and corrections. Also thanks to the WPScan team for the prompt response to our feedback on the issue, and to HM Plugin for being responsive and promptly fixing the issue.