Security researchers have discovered critical yet easily exploitable vulnerabilities in a popular WordPress plugin that can be abused to upload arbitrary files to affected websites.
In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is installed on over 400,000 websites.
The ProfilePress plugin, earlier known as WP User Avatar, enables admins to design user profile pages, and create frontend forms for user registration. It also helps protect sensitive content and control user access.
Wordfence notes that the vulnerabilities could also be exploited by attackers to register themselves as a site administrator, even if the real admins had disabled user registration.
Improper implementation
According to Wordfence, although the ProfilePress plugin came into existence as a means to upload user profile photos, it recently metamorphosed into its current form and took on new user login and registration features.
Unfortunately, however, the new features weren’t properly coded and the vulnerabilities were introduced.
For instance, the plugin didn’t prevent users from supplying arbitrary metadata during the registration process, which Wordfence exploited to escalate their user privileges to that of an administrator’s.
The same could also be done in the update profile function. However, since there was no check to validate whether user registration was enabled on the site, attackers didn’t need to compromise an existing account, and could take over the website without much effort.
Wordfence reported these vulnerabilities to ProfilePress around the end of May. The company responded swiftly, plugging the bugs with a patch (v3.1.4) within in a couple of days.
To shield against attack, users running vulnerable versions (3.0-3.1.3) are urged to update immediately.
Source:
TechRadar