Home » MemberSonic Lite

MemberSonic Lite <= 1.2 allows login without proper authorization

While looking for a membership plugin for WordPress I stumbled on MemberSonic and the free version of their plugin MemberSonic Lite. After a 10 minute wait while watching their promotional video they finally email you a link to the Lite version. I could not find any indication on the site regarding how many sites/users their plugins have. It appears that they released something back in September of 2012, so there must be more than a handful of users out there.

Anyone using MemberSonic Lite should upgrade immediately, version 1.2 has a flaw allowing an unauthorized user to login to any account simply by knowing the email address associated with the account, this includes any accounts with administrator privileges.

I do not know if this affects the commercial version of the product and I have not done any further auditing of the Lite product. As of 6/28/2016, there has not been a new posting on their blog related to this issue or announcing an update to the Pro version.

Timeline

  • 6/20/2016 12:51pm Initial email attempt
  • 6/22/2016 7:45am Additional email attempt
  • 6/23/2016 2:49pm Final email attempt
  • 6/23/2016 3:07pm Email response received
  • 6/23/2016 3:16pm Full disclosure email sent
  • 6/24/2016 9:53am Received updated version 1.301
  • 6/24/2016 1:19pm Received updated version 1.302 that resolves original issue