Users Ultra [Unrestricted File Upload]

WordPress plugin Users Ultra suffers for an unrestricted file upload vulnerability.


Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see OWASP Unrestricted File Upload to get an idea.


The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:

Upon initialization of the plugin (anytime if it is activated) an instance of XooUserUser class is created

In the constructor of XooUserUser class a check for POST variable uultra-form-cvs-form-conf is taking place file wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php lines 19-23

if (isset($_POST['uultra-form-cvs-form-conf']))
    /* Let's Update the Profile */

Assuming the POST variable uultra-form-cvs-form-conf has been set in the request, the method XooUserUser::process_cvs() is called.

XooUserUser::process_cvs() method process every file in $_FILES super-global by only making a check if the file has a csv extension

In addition we mark the following points:

  1. A malicious user can create and activate user accounts by exploiting this vulnerability if $_POST["uultra-activate-account"] is set to active
  2. A welcome email is send if $_POST["uultra-send-welcome-email"] is set to 1
  3. The csv files uploaded to the server are stored in a directory (wp-content/usersultramedia/import by default) accessible by anyone
  4. Any additional columns present in the csv file are stored in usermeta
  5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site


The following Python3 script forms a csv file and uploads it to a site

import requests
import csv
import tempfile

url = ''

postData = {
    'uultra-form-cvs-form-conf': 1,
    'uultra-send-welcome-email': 1,
    'uultra-activate-account': 'pending'

csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country']
csvFileRow = ['userName', '', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO']

csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv')

wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',')


files = {'file.csv': csvFile}

r =, data=postData, files=files)



Update to version 1.5.59

  • 2015-10-27:
    Requested CVE ID
  • 2015-10-29:
    Vendor notified via email
  • 2015-11-11:
    Vendor notified via contact form in his website
  • 2015-11-11:
    Requested CVE ID (no response from 2015-10-27)
  • 2015-11-13:
    Vendor notified via support forums at
  • 2015-11-14:
    Vendor responded and received report through email
  • 2015-11-15:
    Vendor responded
  • 2015-11-15:
    Patch released