Contents:
Multiple WordPress plugin vulnerabilities that got assigned a CVSS score of 9.8 were discovered in May by the researchers at Wordfence. These vulnerabilities made it possible for an attacker to escalate its user privileges and upload malicious code, resulting in the complete takeover of a WordPress site.
The plugin we are talking about is ProfilePress, which was formerly named WP User Avatar. This plugin is meant to facilitate the upload of WordPress user profile images, and it has over 40,000 installs, according to Wordfence.
It looks like even if originally its only functionality was to upload photos, a recent change augmented the plugin with some new features that include user login and registration, and this is the area in which the plugin vulnerabilities were found.
The first vulnerability (CVE-2021-34621) is a privilege escalation flaw according to the researchers at Wordfence.
During user registration, users could supply arbitrary user metadata that would get updated during the registration process.
This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilties as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including administrator.
There was not possible to validate the fact that user registration was enabled on the site, therefore users could register as an administrator even on sites where user registration was disabled, in this way allowing attackers to “completely take over” a vulnerable WordPress site with very little effort.
The next vulnerability addressed is a privilege escalation bug (CVE-2021-34622) found in the user profile update functionality that used the same method as above, but did require the attacker to have an account on a vulnerable site in order for the exploit to work.
However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration.
Arbitrary file upload in the image uploader component (CVE-2021-34623) was another WordPress plugin vulnerability that the researchers noticed, as the image uploader from ProfilePress was insecurely implemented using the exif_imagetype function to determine whether a file was safe or not, thus any attacker could disguise a malicious file by uploading a spoofed file which would bypass the exif_imagetype check.
This WordPress plugin vulnerability could’ve been exploited in order to upload a web shell that would allow an attacker to RCE and run commands on a server.
Last but not least, CVE-2021-34624 was another arbitrary file upload vulnerability found in the plugin’s “custom fields” functionality, that also checks for malicious files, and that could’ve been exploited in order to achieve remote code execution.
Chloe Chamberland, the threat analyst that discovered the bug declared for The Daily Swig:
I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them. That eventually led to the discovery of the arbitrary file upload vulnerabilities since they were also associated with the user registration functionality.
The critical vulnerabilities were reported to WordPress on May 27, and a patch was released soon after, on May 30th.