WordPress Plugin Flaw Let Attackers Seize Administrative Control


A critical vulnerability has been discovered in the popular Profile Builder and Profile Builder Pro plugins, with over 50,000 active installations.

The flaw, identified during a routine audit of various WordPress plugins, allows unauthenticated attackers to escalate their privileges and gain administrative access to targeted sites without possessing account credentials.

EHA

CVE-2024-6695 – Unauthenticated Privilege Escalation Vulnerability

As reported by WPScan, the vulnerability tracked as CVE-2024-6695 has been assigned a CVSSv3.1 score of 9.8, indicating its critical severity. The flaw was addressed and patched on July 11th, 2024, with the release of plugin version 3.11.9.

The issue has also been cataloged in the WordPress Vulnerability Database under WPVDB-ID 4afa5c85-ce27-4ca7-bba2-61fb39c53a5b.

Technical Breakdown

The vulnerability stems from inconsistencies in how the plugins handle user-provided email information during registration.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

When a new user registers, the plugin performs several checks to validate the email address and ensure the user is not already registered. However, a flaw in these checks creates an exploitable situation.

function wppb_check_email_value( $message, $field, $request_data, $form_location ) {
    global $wpdb;
 
    if ( isset( $request_data['email'] ) ) {
        $request_data['email'] = apply_filters('wppb_before_processing_email_from_forms', stripslashes( $request_data['email'] ) );
 
        if ((isset($request_data['email']) && (trim($request_data['email']) == '')) && ($field['required'] == 'Yes'))
            return wppb_required_field_error($field["field-title"]);
 
        if (isset($request_data['email']) && !is_email(trim($request_data['email']))) {
            return __('The email you entered is not a valid email address.', 'profile-builder');
        }
 
        $users = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->users} WHERE user_email = %s", $request_data['email']));
 
        if (!empty($users)) { //register again
            if ($form_location == 'register')
                return __('This email is already in use.', 'profile-builder') . '
'
. __('Please try a different one!', 'profile-builder');
        }
    }
}

Here’s a brief overview of the process:

  1. Email Validation: The plugin validates the email address provided during registration to ensure it is not already in use and is a valid email format.
  2. Automatic Login: The user is automatically logged in with a subscriber role after successful registration. This process involves generating a security nonce and retrieving the user object using the email address.
  3. Nonce Verification: The plugin then uses the generated nonce and user ID to log the user in with the corresponding privileges automatically.

The vulnerability arises from the lack of consistency in handling the user-provided email information at various stages of this process. This inconsistency allows attackers to manipulate the registration process and gain administrative access.

Impact and Mitigation

The implications of this vulnerability are severe, as it allows attackers to perform unauthorized actions with administrative privileges. This could lead to the complete compromise of affected websites, including data theft, defacement, and further exploitation.

Website administrators using the Profile Builder and Profile Builder Pro plugins are strongly advised to update to version 3.11.9 immediately to mitigate the risk.

The update addresses the vulnerability by consistently handling user-provided email information and enhancing security checks during registration.

A proof of concept demonstrating the exploitation of this vulnerability is scheduled to be released on August 5th, 2024.

This release will likely provide further insights into the flaw’s mechanics and underscore the importance of timely updates and robust security practices.

As the WordPress ecosystem grows, the discovery of such vulnerabilities highlights the need for continuous vigilance and proactive security measures to protect websites and their users from emerging threats.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo



Source link