CVE-2021-34622
published 2021-07-07CVE-2021-34622: A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible…
PriorityP178high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.12%
89.5th percentile
A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| profilepress | profilepress | — | — |
| properfraction | profilepress | 3.0.0 – 3.1.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /wp-admin/admin-ajax.php with action=pp_ajax_editprofile containing the wp_capabilities[administrator] field set to 1 in a multipart form body — this is the privilege escalation payload. ↗
- →Monitor POST requests to /wp-admin/admin-ajax.php with action=pp_ajax_signup followed by action=pp_ajax_login and then action=pp_ajax_editprofile — this three-step sequence is the full exploit chain (register, login, escalate). ↗
- →Alert on multipart/form-data POST bodies to admin-ajax.php that include both ppmyac_form_action=updateProfile and wp_capabilities as a field name, indicating an attempt to overwrite user capabilities. ↗
- →Look for the response body containing 'Account was updated successfully' or 'success":true' after a pp_ajax_editprofile action with wp_capabilities in the request — this confirms successful privilege escalation. ↗
- →Presence of the FOFA/Shodan fingerprint body='/wp-content/plugins/profilepress' on a WordPress site indicates a potentially vulnerable instance to target or monitor. ↗
- ·The exploit requires the attacker to be authenticated (registered user). The attack chain starts with self-registration via pp_ajax_signup, so sites with open user registration are at highest risk. ↗
- ·The vulnerability is scoped to ProfilePress versions 3.0.0–3.1.3 only; version 3.1.4 and later are patched. Detection rules should correlate plugin version where possible. ↗
- ·The exploit template uses a hardcoded multipart boundary 'WebKitFormBoundarypRyCNwmSkLdfNd7E'; real-world attackers may use different boundaries, so detection should not rely solely on this value. ↗
- ·The nonce (_wpnonce and pp_ajax_form nonce) must be harvested from the /account/edit-profile/ page before the escalation POST; detection of a GET to that endpoint followed quickly by a POST to admin-ajax.php with wp_capabilities is a strong signal. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mfv5-8vh8-pcqg: A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile
ghsa_unreviewed·2022-05-24
CVE-2021-34622 [HIGH] CWE-269 GHSA-mfv5-8vh8-pcqg: A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile
A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .
VulnCheck
ProfilePress WordPress plugin ~/src/Classes/EditUserProfile.php Priviledge Escalation Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-34622 [CRITICAL] ProfilePress WordPress plugin ~/src/Classes/EditUserProfile.php Priviledge Escalation Vulnerability
ProfilePress WordPress plugin ~/src/Classes/EditUserProfile.php Priviledge Escalation Vulnerability
A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .
Affected: properfraction profilepress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-user-avatar/profilepress-30-313-unauthenticated-privilege-escalation
No detection rules found.
Nuclei
WordPress ProfilePress <= 3.1.3 - Privilege Escalation
nuclei·CVSS 8.8
CVE-2021-34622 [HIGH] WordPress ProfilePress <= 3.1.3 - Privilege Escalation
WordPress ProfilePress <= 3.1.3 - Privilege Escalation
ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including `wp_capabilities`, during profile updates. This enables a user to escalate their privileges to administrator.
Template:
id: CVE-2021-34622
info:
name: WordPress ProfilePress <= 3.1.3 - Privilege Escalation
author: Sourabh-Sahu
severity: critical
description: |
ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including `wp_capabilities`, during profile updates. This enables a user to escalate their pri
No writeups or analysis indexed.
2021-07-07
Published
Exploited in the wild