During a routine audit of various WordPress plugins, we identified some issues in Profile Builder and Profile Builder Pro (50k+ active installs). We discovered an Unauthenticated Privilege Escalation Vulnerability which could allow attackers to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions.
This vulnerability was fixed on July 11th, with version 3.11.9.
| Fixed Version | 3.11.9 |
| CVE ID | CVE-2024-6695 |
| WPVDB-ID | 4afa5c85-ce27-4ca7-bba2-61fb39c53a5b |
| CVSSv3.1 | 9.8 |
During the standard registration process, after a user successfully creates an account, they are automatically logged into the system with the subscriber role. Prior to this, the plugin conducts several checks to ensure the email is valid and that the user is not already registered:
function wppb_check_email_value( $message, $field, $request_data, $form_location ) {
global $wpdb;
if ( isset( $request_data['email'] ) ) {
$request_data['email'] = apply_filters('wppb_before_processing_email_from_forms', stripslashes( $request_data['email'] ) );
if ((isset($request_data['email']) && (trim($request_data['email']) == '')) && ($field['required'] == 'Yes'))
return wppb_required_field_error($field["field-title"]);
if (isset($request_data['email']) && !is_email(trim($request_data['email']))) {
return __('The email you entered is not a valid email address.', 'profile-builder');
}
$users = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->users} WHERE user_email = %s", $request_data['email']));
if (!empty($users)) { //register again
if ($form_location == 'register')
return __('This email is already in use.', 'profile-builder') . '<br/>' . __('Please try a different one!', 'profile-builder');
}
}
}
Once the registration process is complete, the automatic login begins by generating a security nonce after retrieving the user object using the user’s email address:
function wppb_log_in_user( $redirect, $redirect_old ) {
if( is_user_logged_in() ) {
return;
}
$wppb_general_settings = get_option( 'wppb_general_settings' );
if ( isset( $wppb_general_settings['emailConfirmation'] ) && ( $wppb_general_settings['emailConfirmation'] == 'yes' ) ) {
return $redirect_old;
}
/* get user id */
if( empty( $_POST['email'] ) )
return;
$user = get_user_by( 'email', trim( sanitize_email( $_POST['email'] ) ) );
if( !$user )
return;
$nonce = wp_create_nonce( 'autologin-'. $user->ID .'-'. (int)( time() / 60 ) );
// Additional code omitted for brevity
$redirect = add_query_arg( array( 'autologin' => 'true', 'uid' => $user->ID, '_wpnonce' => $nonce ), $redirect );
}
Finally, the previously created nonce and the user ID are used to automatically log the user in with the corresponding privileges of that user ID:
add_action( 'init', 'wppb_autologin_after_registration' );
function wppb_autologin_after_registration(){
if( isset( $_GET['autologin'] ) && isset( $_GET['uid'] ) && isset( $_REQUEST['_wpnonce'] ) ){
$uid = absint( $_GET['uid'] );
$arr_params = array( 'autologin', 'uid', '_wpnonce' );
$current_page_url = remove_query_arg( $arr_params, wppb_curpageurl() );
if ( ! ( wp_verify_nonce( sanitize_text_field( $_REQUEST['_wpnonce'] ) , 'autologin-'.$uid.'-'.(int)( time() / 60 ) ) || wp_verify_nonce( sanitize_text_field( $_REQUEST['_wpnonce'] ) , 'autologin-'.$uid.'-'.(int)( time() / 60 - 1 ) ) ) ){
wp_redirect( $current_page_url );
exit;
} else {
wp_set_auth_cookie( $uid );
wp_redirect( $current_page_url );
exit;
}
}
}
The lack of consistency in how the plugin handles user-provided email information at various stages creates an exploitable situation, allowing an attacker to gain administrative access to the targeted website.
A proof of concept will be made available on August 5th, 2024.
Timeline
- July 10th, 2024 – Internal discovery of this vulnerability. We report the issue to Profile Builder.
- July 11th, 2024 – Profile Builder confirms they could replicate the problem and releases a new version.
- July 15th, 2024 – We publish this advisory.
Credits
- Original research: John Castro
- Thanks to: The WPScan team for feedback, help, and corrections.
WPScan 