1 of 2:

# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0
# CVE: CVE-2018-6943
# Date: 02-12-2018
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>
# Category: webapps
# Impact: Remote Code Execution / Information Disclosure
 
1. Description
  > UltimateMember plugin 2.0 for WordPress
        > has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to
        > the $temp variable.
  > An attacker can use this vulnerability to inject malicious JavaScript
  > code into the UltimateMember Wordpress plugin, which will execute
  > within the browser of any user who views the relevant Wordpress
  > plugin.
     
2. Proof of Concept

28: $id = $_POST['key'];
  50:     $file = $id."-".$_FILES[$id]["name"];
  51:     $file = sanitize_file_name($file);
  52:      $ext = strtolower( pathinfo($file, PATHINFO_EXTENSION) );
  28: $id = $_POST['key'];
  50:     $file = $id."-".$_FILES[$id]["name"];
  51:     $file = sanitize_file_name($file);
  60:       $file = "stream_photo_".md5($file)."_".uniqid().".".$ext;
  49:     $temp = $_FILES[$id]["tmp_name"]; <========== Vulnerable code 
  61:       $ret[ ] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') );
  70: echo json_encode($ret);
 
3. Solution:
   
Vendor has issued an update.



2 of 2:


# Exploit Title: Stored Cross-Site Scripting (XSS) in UltimateMember Wordpress plugin 2.0
# CVE:  CVE-2018-6944
# Date: 02-12-2018
# Software Link: https://ultimatemember.com <https://ultimatemember.com/>
# Exploit Author: Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Vendor Homepage: https://ultimatemember.com <https://ultimatemember.com/>
# Category: webapps
# Impact: Remote Code Execution / Information Disclosure
 
1. Description
  > UltimateMember plugin 2.0 for WordPress
        > has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to
        > the $temp variable.
  > An attacker can use this vulnerability to inject malicious JavaScript
  > code into the UltimateMember Wordpress plugin, which will execute
  > within the browser of any user who views the relevant Wordpress
  > plugin.
     
2. Proof of Concept

30: $id = $_POST['key'];

  53:           $file = apply_filters('um_upload_file_name',$id."-".$_FILES[$id]["name"],$id,$_FILES[$id]["name"]);

  54:     $file = sanitize_file_name($file);

  52:     $temp = $_FILES[$id]["tmp_name"];<==========Vulnerable code 

  61:       $ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file );

  72: echo json_encode($ret);

 
3. Solution:
   
Vendor has issued an update.