Paid Memberships Pro [Send Email With Arbitrary Content]
Description
Plugin Paid Memberships Pro contains various file that are directly
accessible. One of those files is
paid-memberships-pro/services/authnet-silent-post.php
which implements something like an email alerts system.
An attacker can directly call this file to the infected website passing arbitrary data to various POST parameters. This allows the attacker to manipulate the script in order to make send emails to specific users, even administrators. This email will look like it’s coming directly from the infected website, so the recipient will assume it comes from a trusted source.
By exploiting this vulnerability an attacker can also update specific subscription orders which has no right to do so. In order for this to work the attacker must have a subscription transaction id from an order paid via authorize.net gateway. This kind of exploitation is a bit trickier and relies on information that shouldn’t be accessible to users or at least is hard to find.
PoC
curl -XPOST 'http://wp1.dev/wp-content/plugins/paid-memberships-pro/services/authnet-silent-post.php' \
-d 'x_subscription_id=1&x_response_code=2&x_country=<script>alert(1);</script>'
curl 'http://wp1.dev/wp-content/plugins/paid-memberships-pro/services/authnet-silent-post.php' \
-d 'x_subscription_id=1&mal_var=<img src="http://mal-server.com/pwnd.png"></img>
Solution
No fix available
- 12 April 2016
- Pan Vag
- www.paidmembershipspro.com
- Paid Memberships Pro
- 1.8.9
- WordPress 4.4.2
- DWF-2016-87019