# Exploit Title:  Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE a Unlink
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Software Link:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.6.3
# Tested on: Ubuntu 16.1
#
#Article:
#http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/
#
#Video:
#https://www.youtube.com/watch?v=By7kT7UbHVk
#
 
1 - Description
  - Type user access: any user registered used in BuddyPress.
  - $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
  - $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.
 
 
2. Proof of Concept
 
Login as regular user.
 
1- Log in with BuddyPress User
 
2 - Access Edit Profile:
 
http://target/members/admin/profile/edit/
 
3 - Register data with image:
 
 <http://target/wp-content/uploads/2018/01/buddypress-profile.png>4
- Change parameter to delete image in html and save profile:
<http://target/wp-content/uploads/2018/01/buddypress-profile2.png>
 <http://target/wp-content/uploads/2018/01/buddypress-profile3-1.png>
 
#-- 
#*Atenciosamente*
#
#*Lenon Leite*