URL Media Uploader WordPress Plugin Missing Authorization Vulnerability Allows Unauthorized File Uploads

A vulnerability exists in the URL Media Uploader plugin for WordPress, specifically in versions through 1.0.1. The issue arises from a missing capability check in the 'url_media_uploader_url_upload_ajax_handler()' function, which allows authenticated users with Contributor-level access and above to upload safe media files to the WordPress media library. This bypasses the default WordPress permission model, where only users with the 'upload_files' capability, such as Authors, Editors, and Administrators, are allowed to upload media.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads by authenticated users with Contributor roles or higher, bypassing WordPress's standard upload permissions. The uploaded files are added to the media library and can be accessed via direct URLs.

Reproduction

To reproduce this vulnerability, log into WordPress as a user with Contributor or higher privileges. Navigate to an admin page where the URL Media Uploader plugin's scripts are loaded, such as the post editor or media library. Open the browser console and extract the nonce and AJAX URL from the localized script data. Then, send an AJAX request to the 'url_media_uploader_url_upload' action, including the URL of a safe media file. If successful, the uploaded file will appear in the media library.

Remediation

Users are advised to add a capability check in the AJAX handler to ensure that only users with the 'upload_files' capability can upload files. No known patch is available, so it may be best to uninstall the affected plugin and find a replacement.