cbcvebase.
CVE-2021-24527
published 2021-08-16

CVE-2021-24527: The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.70%
93.8th percentile
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.

Affected

1 ranges
VendorProductVersion rangeFixed in
cozmoslabsprofile_builder< 3.4.93.4.9

Detection & IOCsextracted from sources · hover to see the quote

url/?key=%3Ca%
  • Exploit sends a multipart form POST with a `password_recovery_nonce_field2` field and a malformed/bypassed `key` parameter (URL-encoded `<a`) in `_wp_http_referer`, triggering unauthorized admin password reset.
  • Successful exploitation results in the response body containing the string 'Your password has been successfully changed' with HTTP 200 status — use this as a detection signal in WAF/proxy logs.
  • The exploit uses a multipart boundary `------WebKitFormBoundary8nxJ9mBo6lwGYE0K` — presence of this specific boundary in POST requests to password recovery endpoints may indicate exploitation attempts.
  • The bypass abuses the reset key validation in Profile Builder (WordPress plugin) versions before 3.4.9; monitor POST requests to password recovery endpoints containing `password_recovery_nonce_field2` alongside a crafted/malformed `key` value.
  • ·The `skip-variables-check: true` directive in the PoC template indicates the nonce value (`{{nonce}}`) must be dynamically resolved at runtime; static replay of the request without a valid nonce may not succeed.
  • ·The admin is not notified of the password change via email, making this attack stealthy and harder to detect through standard notification channels.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.