While investigating a security advisory about an arbitrary role change/privilege escalation issue in the HM Multiple Roles WordPress plugin, the Jetpack Scan team discovered that the fix was incomplete and left the plugin still vulnerable.
The issue is fully fixed in version 1.3 of the plugin, and we advise any sites using any earlier version of this plugin to update as soon as possible.
Plugin Name: HM Multiple Roles
Plugin URI: https://wordpress.org/plugins/hm-multiple-roles
Author: HM Plugin
Author URI: https://hmplugin.com/
WPScan Entry: https://wpscan.com/vulnerability/5fd2548a-08de-4417-bff1-f174dab718d5
The plugin allows a logged in administrator to assign one or more roles when creating a new user or editing an existing user. Versions before 1.1 would allow any user to assign any combination of roles themselves through the user profile page. Version 1.1 introduced a change that disables the checkboxes for selecting roles for non administrator users.
However, the fix did not check that the request was valid when submitting changes to the profile page. This allowed a low privileged user to escalate their privileges by simply enabling the check boxes for the roles they want and submitting the page.
This can be easily achieved by using the built in developer tools in the web browser as demonstrated in the video below:
2021-07-20: Initial notification to vendor
2021-07-27: Tried contacting vendor again through another channel
2021-07-28: Contact with vendor established
2021-08-02: Received and verified suggested fixes from vendor
2021-08-02: Fixed version released on wordpress.org
If you are using the HM Multiple Roles WordPress plugin version 1.2 or earlier on your site, we recommend that you upgrade to the latest version as soon as possible.
At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. To stay one step ahead of any new threats, check out Jetpack Scan, which includes security scanning and automated malware removal.
Original researcher: Harald Eilertsen
Thanks to the rest of the Jetpack Scan team for feedback, help, and corrections. Also thanks to the WPScan team for the prompt response to our feedback on the issue, and to HM Plugin for being responsive and promptly fixing the issue.