WordPress UltimateMember 2.0 Cross Site Scripting

2018.02.16
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

1 of 2: # Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0 # CVE: CVE-2018-6943 # Date: 02-12-2018 # Software Link: https://ultimatemember.com <https://ultimatemember.com/> # Exploit Author: Author: Aloyce J. Makalanga # Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr> # Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/> # Category: webapps # Impact: Remote Code Execution / Information Disclosure 1. Description > UltimateMember plugin 2.0 for WordPress > has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to > the $temp variable. > An attacker can use this vulnerability to inject malicious JavaScript > code into the UltimateMember Wordpress plugin, which will execute > within the browser of any user who views the relevant Wordpress > plugin. 2. Proof of Concept 28: $id = $_POST['key']; 50: $file = $id."-".$_FILES[$id]["name"]; 51: $file = sanitize_file_name($file); 52: $ext = strtolower( pathinfo($file, PATHINFO_EXTENSION) ); 28: $id = $_POST['key']; 50: $file = $id."-".$_FILES[$id]["name"]; 51: $file = sanitize_file_name($file); 60: $file = "stream_photo_".md5($file)."_".uniqid().".".$ext; 49: $temp = $_FILES[$id]["tmp_name"]; <========== Vulnerable code 61: $ret[ ] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') ); 70: echo json_encode($ret); 3. Solution: Vendor has issued an update. 2 of 2: # Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0 # CVE: CVE-2018-6944 # Date: 02-12-2018 # Software Link: https://ultimatemember.com <https://ultimatemember.com/> # Exploit Author: Author: Aloyce J. Makalanga # Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr> # Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/> # Category: webapps # Impact: Remote Code Execution / Information Disclosure 1. Description > UltimateMember plugin 2.0 for WordPress > has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to > the $temp variable. > An attacker can use this vulnerability to inject malicious JavaScript > code into the UltimateMember Wordpress plugin, which will execute > within the browser of any user who views the relevant Wordpress > plugin. 2. Proof of Concept 30: $id = $_POST['key']; 53: $file = apply_filters('um_upload_file_name',$id."-".$_FILES[$id]["name"],$id,$_FILES[$id]["name"]); 54: $file = sanitize_file_name($file); 52: $temp = $_FILES[$id]["tmp_name"];<==========Vulnerable code 61: $ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file ); 72: echo json_encode($ret); 3. Solution: Vendor has issued an update.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top