WordPress User Meta Manager 3.4.6 Plugin - Information Disclosure

ID 1337DAY-ID-24904
Type zdt
Reporter Panagiotis Vagenas
Modified 2016-02-08T00:00:00


Exploit for php platform in category web applications

                                            * Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]
* Discovery Date: 2015-12-28
* Public Disclosure Date: 2016-02-01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4
* Category: webapps
## Description
User Meta Manager for WordPress plugin up to v3.4.6 suffers from a information disclosure vulnerability. Any registered user can perform an a series of AJAX 
requests, in order to get all contents of `usermeta` DB table. 
`usermeta` table holds additional information for all registered users. User Meta Manager plugin offers a `usermeta` table backup functionality. During the backup process the plugin takes no action in protecting the leakage of the table contents to unauthorized (non-admin) users.
## PoC
### Get as MySQL query
First a backup table must be created
curl -c ${USER_COOKIES} \
Then we get the table with another request
curl -c ${USER_COOKIES} \
### Get as CSV file
curl -c ${USER_COOKIES} \
## Solution
Upgrade to version 3.4.8

#  0day.today [2018-01-10]  #