cbcvebase.
CVE-2021-34622
published 2021-07-07

CVE-2021-34622: A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible…

PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.12%
89.5th percentile
A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .

Affected

2 ranges
VendorProductVersion rangeFixed in
profilepressprofilepress
properfractionprofilepress3.0.0 – 3.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/account/edit-profile/
path~/src/Classes/EditUserProfile.php
commandaction=pp_ajax_editprofile
commandwp_capabilities[administrator]=1
commandppmyac_form_action=updateProfile
  • Detect POST requests to /wp-admin/admin-ajax.php with action=pp_ajax_editprofile containing the wp_capabilities[administrator] field set to 1 in a multipart form body — this is the privilege escalation payload.
  • Monitor POST requests to /wp-admin/admin-ajax.php with action=pp_ajax_signup followed by action=pp_ajax_login and then action=pp_ajax_editprofile — this three-step sequence is the full exploit chain (register, login, escalate).
  • Alert on multipart/form-data POST bodies to admin-ajax.php that include both ppmyac_form_action=updateProfile and wp_capabilities as a field name, indicating an attempt to overwrite user capabilities.
  • Look for the response body containing 'Account was updated successfully' or 'success":true' after a pp_ajax_editprofile action with wp_capabilities in the request — this confirms successful privilege escalation.
  • Presence of the FOFA/Shodan fingerprint body='/wp-content/plugins/profilepress' on a WordPress site indicates a potentially vulnerable instance to target or monitor.
  • ·The exploit requires the attacker to be authenticated (registered user). The attack chain starts with self-registration via pp_ajax_signup, so sites with open user registration are at highest risk.
  • ·The vulnerability is scoped to ProfilePress versions 3.0.0–3.1.3 only; version 3.1.4 and later are patched. Detection rules should correlate plugin version where possible.
  • ·The exploit template uses a hardcoded multipart boundary 'WebKitFormBoundarypRyCNwmSkLdfNd7E'; real-world attackers may use different boundaries, so detection should not rely solely on this value.
  • ·The nonce (_wpnonce and pp_ajax_form nonce) must be harvested from the /account/edit-profile/ page before the escalation POST; detection of a GET to that endpoint followed quickly by a POST to admin-ajax.php with wp_capabilities is a strong signal.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.