Nasty WordPress plugin bugs could allow attackers to register as site admins

Unbreakable Lock
(Image credit: KAUST)

Security researchers have discovered critical yet easily exploitable vulnerabilities in a popular WordPress plugin that can be abused to upload arbitrary files to affected websites.

In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is installed on over 400,000 websites.

The ProfilePress plugin, earlier known as WP User Avatar, enables admins to design user profile pages, and create frontend forms for user registration. It also helps protect sensitive content and control user access.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

Wordfence notes that the vulnerabilities could also be exploited by attackers to register themselves as a site administrator, even if the real admins had disabled user registration.

Improper implementation

According to Wordfence, although the ProfilePress plugin came into existence as a means to upload user profile photos, it recently metamorphosed into its current form and took on new user login and registration features. 

Unfortunately, however, the new features weren’t properly coded and the vulnerabilities were introduced.

For instance, the plugin didn’t prevent users from supplying arbitrary metadata during the registration process, which Wordfence exploited to escalate their user privileges to that of an administrator’s.

The same could also be done in the update profile function. However, since there was no check to validate whether user registration was enabled on the site, attackers didn’t need to compromise an existing account, and could take over the website without much effort.

Wordfence reported these vulnerabilities to ProfilePress around the end of May. The company responded swiftly, plugging the bugs with a patch (v3.1.4) within in a couple of days.

To shield against attack, users running vulnerable versions (3.0-3.1.3) are urged to update immediately.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.