# Exploit Title: WPGYM - Wordpress Gym Management System <= 07-05-2017 - Remote Code Execution / Stored XSS # Date: 2017-07-25 # Exploit Author: 8bitsec # Vendor Homepage: http://www.mobilewebs.net/ # Software Link: https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964 # Version: ? # Tested on: [Kali Linux 2.0 | Mac OS 10.12.6] # Email: contact@8bitsec.io # Contact: https://twitter.com/_8bitsec Release Date: ============= 2017-07-25 Product & Service Introduction: =============================== WPGYM a Wordpress Gym Management System ideal Wordpress plugin for your Wordpress powered gym management system. The plugin is not version numbered, it was tested on version 07-05-2017. Technical Details & Description: ================================ Authenticated Stored XSS vulnerability found on Account section. Remote Code Execution via Arbitrary File Upload. All vulnerabilities tested as a low priv user (member). Proof of Concept (PoC): ======================= Remote Code Execution shell.png.php: Member > View > Add weight > Upload image > shell.png.php > Save Measurement An alert will warn you about incorrect file type but it will still upload it. Go to Workouts > View Measurement > Right Click on Image > View Image or Copy Image URL Paste on your browser and add ?cmd=[command] Example: https://localhost/wordpress/gym/wp-content/uploads/gym_assets/1501018920-pimg-in.php?cmd=id Authenticated Stored XSS: Account > Home Town Address textfield is vulnerable. ================== 8bitsec - [https://twitter.com/_8bitsec]