Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites.

These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

These are critical and easily exploitable security issues that have been patched, therefore, we highly recommend updating to the latest patched version available, 3.1.8, immediately if you are running a vulnerable version of this plugin (3.1 – 3.1.3).

The first issue discovered allowed users to escalate their privileges, which could lead to site takeover. During user registration, users could supply arbitrary user meta data that would get updated during the registration process.

This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilties as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including administrator.

if (is_array($custom_usermeta)) {
 
     foreach ($custom_usermeta as $key => $value) {
         if ( ! empty($value)) {
             update_user_meta($user_id, $key, $value);
             // the 'edit_profile' parameter is used to distinguish it from same action hook in RegistrationAuth
             do_action('ppress_after_custom_field_update', $key, $value, $user_id, 'registration');
         }

In addition, there was no check to validate that user registration was enabled on the site, making it possible for users to register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take over a vulnerable WordPress site without much effort if a vulnerable version of this plugin was in use.

READ
U.S., U.K., and Australia Sanction Russian Hosting Provider Zservers for Aiding LockBit Ransomware

The same flaw was present within the user profile update functionality. The profile update functionality had the same feature that would take the key value pairs submitted during a profile update and update the user’s metadata in the database. The wp_capabilities user meta could be supplied as an array parameter set to administrator during a profile update which would allow attackers to escalate their privileges to that of an administrator.

if (is_array($custom_usermeta)) {
 
      $user_id = self::get_current_user_id();
 
      foreach ($custom_usermeta as $key => $value) {
 
          update_user_meta($user_id, $key, $value);
 
          // the 'edit_profile' parameter is used to distinguish it from same action hook in RegistrationAuth
          do_action('ppress_after_custom_field_update', $key, $value, $user_id, 'edit_profile');
      }
  }

This did require the attacker to have an account on a vulnerable site to exploit. However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration.

In addition to the privilege escalation vulnerabilities, the team found that arbitrary files, including PHP files, could be uploaded to a vulnerable WordPress site. The ability to upload profile and cover images to a user’s profile is a core part of the plugin’s functionality. Unfortunately, this function was insecurely implemented using the exif_imagetype function to determine a file’s type.

/ verify the file is a GIF, JPEG, or PNG
$fileType = exif_imagetype($image["tmp_name"]);
 
$allowed_image_type = apply_filters('ppress_allowed_image_type', array(
    IMAGETYPE_GIF,
    IMAGETYPE_JPEG,
    IMAGETYPE_PNG
));

The function exif_imagetype uses the first few bytes of a file, known as magic bytes, to determine a file’s type, and as such is considered an unsafe method to validate a file’s type. Any file can trivially be disguised to appear as a valid image file by adding these magic bytes to the beginning of the file. This made it possible for an attacker to upload a spoofed PHP file that would pass the exif_imagetype check during the user registration process or during a profile update.

READ
Russian-Linked Hackers Attack Microsoft 365 Accounts Using Device Code Phishing

This could be used to upload a web shell that would make it possible for an attacker to achieve remote code execution and run commands on a server to achieve a complete site takeover. Due to the fact that users could register even without user registration enabled, an attacker could exploit this vulnerability without authentication by uploading a profile picture or cover image during a registration request.