WordPress UltimateMember 2.0 Cross Site Scripting

🗓️ 14 Feb 2018 00:00:00Reported by Aloyce J. MakalangaType

packetstorm🔗 packetstormsecurity.com👁 1449 Views

Stored Cross-Site Scripting in UltimateMember WordPress plugin 2.0, Impact: Remote Code Execution / Information Disclosure, CVE-2018-6943, CVE-2018-6944, Vulnerable code in $temp variabl

Reporter	Title	Published	Views	Family All 12
CVE	CVE-2018-6943	16 Feb 201814:00	–	cve
CVE	CVE-2018-6944	16 Feb 201814:00	–	cve
Cvelist	CVE-2018-6943	16 Feb 201814:00	–	cvelist
Cvelist	CVE-2018-6944	16 Feb 201814:00	–	cvelist
EUVD	EUVD-2018-18687	7 Oct 202500:30	–	euvd
EUVD	EUVD-2018-18688	7 Oct 202500:30	–	euvd
NVD	CVE-2018-6943	16 Feb 201814:29	–	nvd
NVD	CVE-2018-6944	16 Feb 201814:29	–	nvd
OpenVAS	WordPress Ultimate Member Plugin 2.0 Multiple XSS Vulnerabilities	19 Feb 201800:00	–	openvas
Prion	Cross site scripting	16 Feb 201814:29	–	prion

`1 of 2:  
  
# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0  
# CVE: CVE-2018-6943  
# Date: 02-12-2018  
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>  
# Exploit Author: Author: Aloyce J. Makalanga  
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>  
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>  
# Category: webapps  
# Impact: Remote Code Execution / Information Disclosure  
  
1. Description  
> UltimateMember plugin 2.0 for WordPress  
> has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to  
> the $temp variable.  
> An attacker can use this vulnerability to inject malicious JavaScript  
> code into the UltimateMember Wordpress plugin, which will execute  
> within the browser of any user who views the relevant Wordpress  
> plugin.  
  
2. Proof of Concept  
  
28: $id = $_POST['key'];  
50: $file = $id."-".$_FILES[$id]["name"];  
51: $file = sanitize_file_name($file);  
52: $ext = strtolower( pathinfo($file, PATHINFO_EXTENSION) );  
28: $id = $_POST['key'];  
50: $file = $id."-".$_FILES[$id]["name"];  
51: $file = sanitize_file_name($file);  
60: $file = "stream_photo_".md5($file)."_".uniqid().".".$ext;  
49: $temp = $_FILES[$id]["tmp_name"]; <========== Vulnerable code   
61: $ret[ ] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') );  
70: echo json_encode($ret);  
  
3. Solution:  
  
Vendor has issued an update.  
  
  
  
2 of 2:  
  
  
# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0  
# CVE: CVE-2018-6944  
# Date: 02-12-2018  
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>  
# Exploit Author: Author: Aloyce J. Makalanga  
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>  
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>  
# Category: webapps  
# Impact: Remote Code Execution / Information Disclosure  
  
1. Description  
> UltimateMember plugin 2.0 for WordPress  
> has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to  
> the $temp variable.  
> An attacker can use this vulnerability to inject malicious JavaScript  
> code into the UltimateMember Wordpress plugin, which will execute  
> within the browser of any user who views the relevant Wordpress  
> plugin.  
  
2. Proof of Concept  
  
30: $id = $_POST['key'];  
  
53: $file = apply_filters('um_upload_file_name',$id."-".$_FILES[$id]["name"],$id,$_FILES[$id]["name"]);  
  
54: $file = sanitize_file_name($file);  
  
52: $temp = $_FILES[$id]["tmp_name"];<==========Vulnerable code   
  
61: $ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file );  
  
72: echo json_encode($ret);  
  
  
3. Solution:  
  
Vendor has issued an update.  
  
`

14 Feb 2018 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.00285