Our team was reacted immediately to reported vulnerability and released update (v4.9.20). The details of the vulnerability as reported to us are:
Full path disclosure and unauthorized image/zip/pdf/text/wav upload
The issues about unauthorised data upload can be found in /userpro/lib/fileupload/fileupload.php (public via: wp-site.tld>/wp-content/plugins/userpro/lib/fileupload/fileupload.php). As seen starting at line 7, it is enough to private a ?webcam via GET to trigger an upload of a file set in the request body (field = webcam). This file is being named .jpeg which can be any file, even containing executable PHP code inside an image. On certain webserver configurations this would be easily exploitable. In Line 14 the full path disclosure is happening, the JSON encoded response contains the key target_file_uri which value is the absolute path to the uploaded file.
The second upload approach is using the same fileupload.php, instead of setting “webcam” as a GET parameter, one can specify userpro_file in the request body. This method is a little more restrictive, but allows still the upload of all mime types, which are listed in line 44. The full path disclosure is exactly as in the method above.
Unauthorized cached Google+ API Information
Inside /userpro/lib/google/tmp/apiClient/* multiple cached responses from Google(+) API can be found. Example: /userpro/lib/google/tmp/apiClient/0c/0c282bb03f7a44b1f3f610dcbf530c02 contains responses from the GoogleAPI which was likely the developer while debugging. All this folders contain responses from GoogleAPI, mostly including personal data. All these files are publicly accessible via (using the previous example) /wp-content/plugins/userpro/lib/tmp/apiClient/0c/0c282bb03f7a44b1f3f610dcbf530c02
Version 4.9.20 28/02/2018
– Security Fix: File upload security update.
Please download the latest UserPro version from your CodeCanyon account.