cbcvebase.
CVE-2021-34621
published 2021-07-07

CVE-2021-34621: A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
68.86%
99.3th percentile
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .

Affected

2 ranges
VendorProductVersion rangeFixed in
profilepressprofilepress
properfractionprofilepress3.0.0 – 3.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path~/src/Classes/RegistrationAuth.php
commandaction=pp_ajax_signup
commandwp_capabilities[administrator]=1
  • Detect unauthenticated POST requests to /wp-admin/admin-ajax.php containing both the 'pp_ajax_signup' action and 'wp_capabilities[administrator]=1' parameter, which indicates an attempt to self-register as a WordPress administrator via the ProfilePress plugin vulnerability.
  • Monitor for new WordPress user accounts created with administrator role originating from the ProfilePress registration flow (pp_ajax_signup action). Successful exploitation results in a 200 response and the attacker can subsequently access /wp-admin/ with a 'Welcome to your WordPress Dashboard' response.
  • The exploit uses multipart/form-data with a specific boundary value; network signatures can key on the boundary string combined with the pp_ajax_signup action and wp_capabilities[administrator] field.
  • ·Affected versions are strictly 3.0.0 through 3.1.3 of the ProfilePress (formerly WP User Avatar) plugin. Detection rules should be scoped to sites running these versions to reduce false positives.
  • ·The exploit requires WordPress 4.7 or higher to be present alongside the vulnerable plugin version range.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.