1 of 2:
# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0
# CVE: CVE-2018-6943
# Date: 02-12-2018
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>
# Category: webapps
# Impact: Remote Code Execution / Information Disclosure
1. Description
> UltimateMember plugin 2.0 for WordPress
> has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to
> the $temp variable.
> An attacker can use this vulnerability to inject malicious JavaScript
> code into the UltimateMember Wordpress plugin, which will execute
> within the browser of any user who views the relevant Wordpress
> plugin.
2. Proof of Concept
28: $id = $_POST['key'];
50: $file = $id."-".$_FILES[$id]["name"];
51: $file = sanitize_file_name($file);
52: $ext = strtolower( pathinfo($file, PATHINFO_EXTENSION) );
28: $id = $_POST['key'];
50: $file = $id."-".$_FILES[$id]["name"];
51: $file = sanitize_file_name($file);
60: $file = "stream_photo_".md5($file)."_".uniqid().".".$ext;
49: $temp = $_FILES[$id]["tmp_name"]; <========== Vulnerable code
61: $ret[ ] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') );
70: echo json_encode($ret);
3. Solution:
Vendor has issued an update.
2 of 2:
# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0
# CVE: CVE-2018-6944
# Date: 02-12-2018
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>
# Category: webapps
# Impact: Remote Code Execution / Information Disclosure
1. Description
> UltimateMember plugin 2.0 for WordPress
> has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to
> the $temp variable.
> An attacker can use this vulnerability to inject malicious JavaScript
> code into the UltimateMember Wordpress plugin, which will execute
> within the browser of any user who views the relevant Wordpress
> plugin.
2. Proof of Concept
30: $id = $_POST['key'];
53: $file = apply_filters('um_upload_file_name',$id."-".$_FILES[$id]["name"],$id,$_FILES[$id]["name"]);
54: $file = sanitize_file_name($file);
52: $temp = $_FILES[$id]["tmp_name"];<==========Vulnerable code
61: $ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file );
72: echo json_encode($ret);
3. Solution:
Vendor has issued an update.