Wordfence researchers warned of multiple flaws in a popular WordPress plugin that allows an attacker to upload arbitrary files to a vulnerable site to achieve remote code execution (RCE). On May 27, researchers discovered four security vulnerabilities, which were all assigned a high CVSS score of 9.8.
The first issue discovered was a privilege escalation flaw CVE-2021-34621. “During user registration, users could supply arbitrary user metadata that would get updated during the registration process. This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilities as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including the administrator,” researchers explained.
In addition, there was no check to validate that user registration was enabled on the site, meaning users could register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take charge of a susceptible WordPress site.
CVE-2021-34622, the second flaw in the user profile update functionality, uses the same technique as above but requires an attacker to have an account on a vulnerable site for the exploit to work.
“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence researchers.
Arbitrary file upload is the third flaw present in the image uploader component (CVE-2021-34623). The image uploader in ProfilePress was insecurely implemented using the exif_imagetype function to determine whether a file was safe or not. An attacker could disguise a malicious file by uploading a spoofed file which would bypass the exif_imagetype check.
CVE-2021-34624, the fourth and the last flaw present in the plugin’s ‘custom fields’ functionality, which also checks for malicious files, could be exploited to achieve RCE.
ProfilePress, formerly known as WP User Avatar, facilitates the uploading of WordPress user profile images and is installed on over 400,000 sites. Its only functionality was to upload photos; however, a recent change saw the plugin augmented with new features including user login and registration. Unfortunately, the new features introduced several security flaws.
Chloe Chamberland, threat analyst at Wordfence discovered the bug by using a tool called WPDirectory to search the WordPress plugin repository for specific lines of code. “I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them,” the researcher told.
