.png)
BOOK THIS SPACE FOR AD
ARTICLE ADQuartet of critical web security flaws plague CMS software
Multiple vulnerabilities in a popular WordPress plugin used to upload profile photos could allow an attacker to achieve remote code execution (RCE), researchers warn.
Four security issues, which were all assigned a high CVSS score of 9.8, were discovered in May by researchers from Wordfence.
These flaws made it possible for an attacker to escalate user privileges and upload malicious code – resulting in the complete takeover of a WordPress site.
Read more of the latest security vulnerability news
The plugin in question is ProfilePress – formerly named WP User Avatar – which facilitates the uploading of WordPress user profile images. The technology has more than 40,000 installs, according to Wordfence.
Originally, as explained in an advisory from Wordfence, its only functionality was to upload photos, however a recent change saw the plugin augumented with new features including user login and registration.
It was flaws in the security of these feature updates that resulted in the vulnerabilities.
Privilege escalation
The first issue was a privilege escalation flaw. Wordfence explained: “During user registration, users could supply arbitrary user meta data that would get updated during the registration process.
“This included the user meta that controls a user’s capabilities and role. This made it possible for a user to supply as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including administrator.”
There was no way to validate that user registration was enabled on the site, meaning users could register as an administrator even on sites where user registration was disabled.
READ ‘LEXSS’ injection: How to bypass lexical parsers by abusing HTML parsing logic
Attackers could therefore “completely take over” a vulnerable WordPress site with little effort.
Next up comes a privilege escalation bug (CVE-2021-34622) in the user profile update functionality, which used the same method as above, but did require an attacker to have an account on a vulnerable site in order for the exploit to work.
“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence.
Malicious uploads
Another vulnerability present was arbitrary file upload in the image uploader component (CVE-2021-34623). The image uploader in ProfilePress was insecurely implemented using the function to determine whether a file was safe or not.
An attacker could disguise a malicious file by uploading a spoof file which would bypass the check.
This could be exploited to upload a webshell that would allow an attacker to RCE and run commands on a server, achieving complete site takeover.
Another arbitrary file upload vulnerability (CVE-2021-34624) in the plugin’s “custom fields” functionality, which also checks for malicious files, could be exploited to achieve RCE.
Disclosure
The critical vulnerabilities were reported to WordPress on May 27, and a patch was released by May 30.
Wordfence said they “recommend that users immediately update to the latest version available” of WordPress, currently version 3.1.8. Vulnerable versions include 3.1 – 3.1.3.
YOU MAY ALSO LIKE Instagram vulnerability nets researcher $30k after exposing users’ private content
Bengali (Bangladesh) · 
English (United States) ·