buddypress-xprofile-custom-fields-type 2.6.3 - Authenticated Arbitrary File Deletion



Description
Type user access: any user registered used in BuddyPress.

$_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
$_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.
Code
File: wp-conent/plugin/buddypress-xprofile-custom-fields-type/bp-xprofile-custom-fields-type.php Lines: 452, 472, 496, 513, 568, 579 Examples:
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenfile' ] );
unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenimg' ] );
Proof of Concept
https://www.youtube.com/watch?v=uIO_DvWCM3s

1- Log in with BuddyPress User
2 - Access Edit Profile: http://target/members/admin/profile/edit/
3 - Register data with image:
4 - Change parameter to delete image in html and save profile:   

More details with images:

http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/

Affects Plugin

References

URL http://lenonleite.com.br/2018/01/08/13-17-wordpress-plugins-with-over-150000-270000-active-downloads-with-the-same-security-issues/
URL https://www.youtube.com/watch?v=uIO_DvWCM3s

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Lenon Leite
Submitter Website https://lenonleite.com.br/
Submitter Twitter https://twitter.com/lenonleite
Views 889
Verified No
WPVDB ID 9058

Timeline

Publicly Published 2018-01-04 (11 months ago)
Added 2018-04-09 (7 months ago)
Last Updated 2018-04-09 (7 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.