1 of 2:

# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0
# CVE: CVE-2018-6943
# Date: 02-12-2018
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>
# Category: webapps
# Impact: Remote Code Execution / Information Disclosure
 
1. Description
  > UltimateMember plugin 2.0 for WordPress
        > has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to
        > the $temp variable.
	> An attacker can use this vulnerability to inject malicious JavaScript
	> code into the UltimateMember Wordpress plugin, which will execute
	> within the browser of any user who views the relevant Wordpress
	> plugin.
	   
2. Proof of Concept

28: $id = $_POST['key'];
	50: 		$file = $id."-".$_FILES[$id]["name"];
	51: 		$file = sanitize_file_name($file);
	52: 		 $ext = strtolower( pathinfo($file, PATHINFO_EXTENSION) );
	28: $id = $_POST['key'];
	50: 		$file = $id."-".$_FILES[$id]["name"];
	51: 		$file = sanitize_file_name($file);
	60: 			$file = "stream_photo_".md5($file)."_".uniqid().".".$ext;
	49: 		$temp = $_FILES[$id]["tmp_name"]; <========== Vulnerable code 
	61: 			$ret[ ] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') );
	70: echo json_encode($ret);
 
3. Solution:
   
Vendor has issued an update.



2 of 2:


# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0
# CVE:  CVE-2018-6944
# Date: 02-12-2018
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>
# Category: webapps
# Impact: Remote Code Execution / Information Disclosure
 
1. Description
  > UltimateMember plugin 2.0 for WordPress
        > has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to
        > the $temp variable.
	> An attacker can use this vulnerability to inject malicious JavaScript
	> code into the UltimateMember Wordpress plugin, which will execute
	> within the browser of any user who views the relevant Wordpress
	> plugin.
	   
2. Proof of Concept

30: $id = $_POST['key'];

	53:         	$file = apply_filters('um_upload_file_name',$id."-".$_FILES[$id]["name"],$id,$_FILES[$id]["name"]);

	54: 		$file = sanitize_file_name($file);

	52: 		$temp = $_FILES[$id]["tmp_name"];<==========Vulnerable code 

	61: 			$ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file );

	72: echo json_encode($ret);

 
3. Solution:
   
Vendor has issued an update.