The sink function is load_template() in class-shortcodes.php This vulnerability looks like https://www.pritect.net/blog/ultimate-member-1-3-84-wordpress-shortcodes
If the result of file_exists($theme_file) is true, this function will include the theme_file
$theme_file has two parts: get_stylesheet_directory() and /ultimate-member/templates/{$tpl}.php
$tpl has not been filtered and if attacker can control the content of $tpl, he can include any php file he want and execute any code he want.
load_template() function is called by template_load() function in class-shortcodes.php
template_load() function is called by ultimatemember_account() function in class-account.php and ultimatemember_password() function in class-password.php at least
Although $template has default value "account" or "password-reset", attacker can pass $args into function to cover it by wp_parse_args($args,$defaults);
Because $args['template'] is not filtered in any part, If attacker pass malicious $args into function, unexpected php file will be included
ultimatemember_account() function in class-account.php and ultimatemember_password() function in class-password.php can be called by shortcodes [ultimatemember_account] [ultimatemember_password]
Thus, if attacker (need permission to edit shortcodes) put [ultimatemember_account template=../../../../plugins/ultimate-member/includes/admin/templates/dashboard/users], users.php should be included. If a method could be discovered that allows uploading arbitrary PHP code, this could be used to execute that code.
However, this vulnerability has some limits. I tried this payload on my vps, $theme_file on my vps is /usr/local/lighthouse/softwares/wordpress/wp-content/themes/twentytwenty/ultimate-member/templates/
Because this path not exists, file_exists() will return false on Linux if the content has any wrong path.
However, Windows can handle the payload correctly.
The reason is that the method to handle the wrong path and ../ between Linux and Windows is different. https://stackoverflow.com/questions/62327748/relative-path-resolution-differences-between-windows-linux
Thus, if $theme_file is a real path on the host (Website manager has already cereated folder for adding new ultimate-member templates https://docs.ultimatemember.com/article/120-adding-your-custom-profile-templates, https://docs.ultimatemember.com/article/119-overriding-default-ultimate-member-profile-templates), this vulnerability can work on both Linux and Windows. On the contraty, this vulnerability can not work on Linux.
This is a Directory Traversal and Local File Inclusion vulnerability.
I added echo $theme_file; in class-shortcodes.php to hook the value of $theme_file on my vps
The result is the expected value.
After I create the folder and the path exists now, users.php is included.
