Product: WordPress plugin users-ultra (Users Ultra Lite) Product URL: https://wordpress.org/plugins/users-ultra/ Vendor: Users Ultra https://usersultra.com/ Vulnerability type: External Control of File Name or Path CWE: https://cwe.mitre.org/data/definitions/73.html OVE: OVE-20160509-0046 Vulnerable versions: 1.5.75 Fixed version: 1.5.76 Vendor notification: 2016-03-14 Solution date: 2016-03-18 Public disclosure: 2016-05-10 Description of the plugin: Users Ultra is the ideal tool for creating advanced user communities in a few minutes. Building a talents community, model agency websites, social communities and any kind of user websites is really fast. It can be intregrated in any WordPress Theme. You can add as many fields as you wish by using the Fields Customizer Tool and it comes with reCaptcha. Steps to reproduce: This will execute PHP code of the index.php: http://example.org/wp-admin/plugins.php?page=userultra&tab=..%2F..%2F..%2F..%2F..%2Findex This will show contents of /etc/passwd in some systems where null-byte terminators are supported. Null-byte terminators are disabled by default in Debian jessie. http://example.org/wp-admin/plugins.php?page=userultra&tab=../../../../../../../../../../../../../etc/passwd%00 Affected code: ./xooclasses/xoo.userultra.admin.php: 902 function include_tab_content() { 903 $screen = get_current_screen(); 904 905 if( strstr($screen->id, $this->slug ) ) 906 { 907 if ( isset ( $_GET['tab'] ) ) 908 { 909 $tab = $_GET['tab']; 910 } else { 911 $tab = $this->default_tab; 912 } 913 914 require_once (xoousers_path.'admin/tabs/'.$tab.'.php'); 915 916 917 918 } 919 } Vulnerability type: Reflected Cross-site scripting vulnerability CWE: https://cwe.mitre.org/data/definitions/79.html OVE: OVE-20160509-0047 Vulnerable versions: 1.5.75 (only one tested) Fixed version: 1.5.79 (nonce implemented only) Vendor notification: 2016-03-15 Solution date: 2016-04-13 Public disclosure: 2016-05-10 Affected query and parameters: POST /wp-admin/plugins.php?page=userultra&tab=settings 1) uultra_password_lengh 2) membership_display_zero 3) media_uploading_folder 4) media_photo_mini_width 5) media_photo_mini_height 6) media_photo_thumb_width 7) media_photo_thumb_height 8) media_photo_large_width 9) media_photo_large_height 10) uultra_front_publisher_default_amount 11) media_avatar_width 12) media_avatar_height 13) mailchimp_api 14) mailchimp_list_id 15) mailchimp_text 16) mailchimp_header_text 17) captcha_heading 18) captcha_label 19) recaptcha_public_key 20) recaptcha_private_key 21) social_media_facebook_app_id 22) social_media_facebook_secret 23) social_media_linkedin_api_public 24) social_media_linkedin_api_private 25) google_client_id 26) google_client_secret 27) google_redirect_uri 28) instagram_client_id 29) instagram_client_secret 30) instagram_redirect_uri 31) twitter_consumer_key 32) twitter_consumer_secret 33) twitter_autopost_msg 34) yammer_client_id 35) yammer_client_secret 36) yammer_redir_url 37) uultra_loggedin_post_title 38) uultra_loggedin_post_comment_content 39) uultra_loggedin_page_content Vulnerability type: Stored Cross-site scripting vulnerability CWE: https://cwe.mitre.org/data/definitions/79.html OVE: OVE-20160509-0048 Vulnerable versions: 1.5.75 (only one tested) Fixed version: 1.5.79 (nonce implemented only) Vendor notification: 2016-03-15 Solution date: 2016-04-13 Public disclosure: 2016-05-10 Affected query and parameters: POST /wp-admin/admin.php?page=userultra&tab=mail 1) messaging_private_all_users 2) messaging_send_from_name 3) messaging_send_from_email POST /wp-admin/admin.php?page=userultra&tab=gateway 1) gateway_paypal_email 2) gateway_paypal_currency Steps to reproduce:
Vulnerability Type: Cross-site request forgery CWE: https://cwe.mitre.org/data/definitions/352.html Vulnerable versions: 1.5.75 (only one tested) Fixed version: 1.5.79 Vendor notification: 2016-03-15 Solution date: 2016-04-13 Public disclosure: 2016-05-10 All POST queries are affected. Timeline: 2016-03-06: Vendor contacted without details. 2016-03-15: Vendor notified with technical details. 2016-03-18: Vendor partially fixes the issues. 2016-03-25: Vendor partially fixes the issues. 2016-04-13: Vendor partially fixes the issues. 2016-04-10: Public disclosure.