Memberpress Downloads < 1.2.6 – Subscriber+ Arbitrary File Upload

Description

The plugin does not properly check user capabilities in its file uploading AJAX endpoint, relying on WordPress nonces to do so. Unfortunately, the nonce can be leaked by any logged-in users, like subscribers. Since the Uploader library they use does not check file extensions at all, this may lead to RCE on sites running on NGINX servers.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

memberpress-downloads

Fixed in 1.2.6

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

9.9 (critical)

Miscellaneous

Original Researcher

WPScan

Submitter

WPScan

Submitter website

https://wpscan.com

Submitter twitter

_WPScan_

Verified

Yes

WPVDB ID

a2008244-f713-44c5-a3ec-0c3b3e9edd6b

Timeline

Publicly Published

2022-09-19 (about 3 years ago)

Added

2022-09-19 (about 3 years ago)

Last Updated

2022-10-05 (about 3 years ago)

Other

Published

Title

Published

2022-05-18

Title

JupiterX < 2.0.7 & JupiterX Core < 2.0.7 - Subscriber+ Arbitrary Plugin Deactivation and Settings Update

Published

2021-08-23

Title

Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update

Published

2024-01-24

Title

Views for WPForms < 3.2.3 - Missing Authorization via get_form_fields

Published

2023-12-27

Title

Rencontre – Dating Site < 3.11 - Privilege Escalation

Published

2023-06-02

Title

Online Booking & Scheduling Calendar for WordPress by vcita < 4.4.3 - Unauthenticated Stored XSS