cbcvebase.
CVE-2023-41954
published 2024-05-17

CVE-2023-41954: Improper Privilege Management vulnerability in ProfilePress Membership Team ProfilePress allows Privilege Escalation.This issue affects ProfilePress: from n/a…

PriorityP277high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.40%
69.0th percentile
Improper Privilege Management vulnerability in ProfilePress Membership Team ProfilePress allows Privilege Escalation.This issue affects ProfilePress: from n/a through 4.13.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
profilepress_membership_teamprofilepressn/a – 4.13.1
properfractionprofilepress< 4.13.24.13.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/wp-user-avatar/
commandaction=pp_ajax_signup
commandreg_select_role=editor
  • Detect unauthenticated privilege escalation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with action=pp_ajax_signup and a reg_select_role field set to a privileged role (e.g., 'editor', 'administrator').
  • A successful exploitation response contains both 'profilepress-reg-status success' and 'Registration successful.' in the JSON body with HTTP 200 and Content-Type application/json.
  • Post-exploitation confirmation: attacker logs in via /wp-login.php and accesses /wp-admin/edit.php?post_type=page, with the response containing 'Filter pages list' and 'Add Page', confirming editor-level access.
  • Fingerprint vulnerable ProfilePress installations by searching for the wp-user-avatar plugin path in page bodies or HTTP components.
  • The multipart form-data boundary '----WebKitFormBoundaryoO03YbuBltnemvPe' is used in the exploit request and can serve as a network-level signature for this specific exploit template.
  • ·The exploit requires a valid 'signup_form_id' parameter, which must be discovered from the target site prior to exploitation. The template uses a dynamic variable ({{signup_form_id}}) implying a prior enumeration step (http(1)) is needed.
  • ·The vulnerability only affects ProfilePress versions up to and including 4.13.1; patched versions are not affected.
  • ·The privilege escalation is limited — the attacker can register as 'editor' role (not necessarily full administrator), hence the NVD description notes 'unauthenticated limited privilege escalation'.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
vulncheck8.6HIGH
vendor_oracle3.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.