Researchers have discovered multiple vulnerabilities in a popular WordPress plugin. That used to upload profile photos that could allow an attacker to gain remote code execution (RCE).
Wordfence researchers discovered four security issues in May, all of which received a high CVSS score of 9.8.
An attacker could use these flaws to escalate user privileges. And upload malicious code, allowing them to completely take over a WordPress site.
ProfilePress – formerly known as WP User Avatar – is a WordPress plugin that makes it easier to upload user profile images. According to Wordfence, the technology has been installed over 40,000 times.
According to a Wordfence advisory, the plugin’s only functionality was to upload photos at first, but it was recently updated to include new features such as user login and registration.
The vulnerabilities caused by flaws in the security of these feature updates.
Escalation of privileges
The first flaw was a flaw in privilege escalation. “During user registration, users could supply arbitrary user metadata that would get updated during the registration process.
“This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilties as an array parameter while registering. Which would grant them the supplied capabilities. Allowing them to set their role to any role they wanted, including administrator.”
Users could register as administrators even on sites, where user registration disabled. Because there, no way to verify that user registration enabled on the site.
As a result, attackers could easily “completely take over” a vulnerable WordPress site.
The next vulnerability is a privilege escalation bug (CVE-2021-34622) in the user profile update functionality. Which used the same method as the previous one but required an attacker to have an account on a vulnerable site to work.
“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence.
In the image uploader component, there was also an arbitrary file upload vulnerability (CVE-2021-34623). The EXIF image type function used insecurely in ProfilePress’s image uploader to determine whether a file was safe or not.
An attacker could use a spoofed file to hide a malicious file by bypassing the EXIF image type check.
This could use to upload a web shell that allows an attacker to RCE and run commands on a server, allowing them to take complete control of the site.
Another arbitrary file upload vulnerability (CVE-2021-34624) in the plugin’s “custom fields” functionality. Which also checks for malicious files, could used to gain remote code execution.
The researcher who discovered the bug used a tool called WPDirectory to look for specific lines of code in the WordPress plugin repository.
“I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them.” Chloe Chamberland, a Wordfence threat analyst, told The Daily Swig.
One of those new AJAX actions, according to Chamberland, was a user registration endpoint. And once she checked if any arbitrary user meta could supplied. She discovered the privilege escalation vulnerability. Which caused by arbitrary user meta accepted and updated.
“That eventually led to the discovery of the arbitrary file upload vulnerabilities since they were also associated with the user registration functionality,” she added.
WordPress notified of the critical vulnerabilities on May 27, and released a patch on May 30.
Wordfence advises users to “immediately update to the most latest version available” of WordPress, which is currently version 3.1.8. Versions 3.0-3.1.3 are vulnerable.
“I didn’t have to report the issues to WordPress in this case. But rather I was able to work directly with the developer. Who responded within a few minutes of us reaching out,” Chamberland explained.
“This was an ideal case when it comes to reporting the security issues. And working with the developer to get patches out.”
Aside from updating to the newest version, to protect against the vulnerabilities. She told The Daily Swig: “I would recommend looking for any rogue administrative user accounts in addition to checking or scanning for any uploaded PHP files in the /wp-content/uploads directory.
“If any rogue administrative accounts or malicious files are detected. Then they should be removed immediately and a full site cleaning should be performed.”
This article has been updated to include a comment from Wordfence and to clarify which versions are vulnerable.
You may also like: