CRM Memberships WordPress Plugin Privilege Escalation Vulnerability via Unauthenticated Password Reset

A privilege escalation vulnerability has been identified in the CRM Memberships plugin for WordPress, affecting all versions through 2.5. The issue arises from inadequate authorization and authentication checks on the 'ntzcrm_changepassword' AJAX action. This vulnerability allows unauthenticated attackers to reset passwords for any user, provided they can access or guess the target user's email address. Additionally, the plugin's 'ntzcrm_get_users' endpoint is available without authentication, enabling attackers to collect email addresses of subscribers, which can be used to exploit the password reset feature.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, enabling attackers to gain access to user accounts.

Reproduction

To reproduce this vulnerability, send a request to the 'ntzcrm_changepassword' AJAX endpoint without authentication. Include the target user's email address and the new password details. The absence of proper authorization checks will allow the password reset to be processed, granting access to the specified user account.

Remediation

No patch is currently available. Users are advised to uninstall the affected plugin and consider a replacement.