profile-builder < 3.11.9 – Unauthenticated Privilege Escalation | CVE 2024-6695 | Plugin Vulnerabilities

Description

it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process.

Proof of Concept

1. "Login after registration" option has to be enabled.

2. Register using an administrator email like:

   administrator@adminemail.com 

make sure to use spaces in the e-mail.

3. The following url format can be used to login (if you don't get redirected):

http://testsire/?p=403&autologin=true&uid=1&_wpnonce=93720382a4

the nonce can be taken from the "autologin" redirect once the registration is finished.

Affects Plugins

profile-builder

Fixed in 3.11.9

References

CVE

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

John Castro

Submitter

John Castro

Verified

Yes

WPVDB ID

4afa5c85-ce27-4ca7-bba2-61fb39c53a5b

Timeline

Publicly Published

2024-07-10 (about 1 year ago)

Added

2024-07-15 (about 1 year ago)

Last Updated

2024-07-15 (about 1 year ago)

Other

Published

Title

Published

2016-10-14

Title

OneLogin SAML SSO <= 2.4.2 - Signature Wrapping

Published

2015-02-19

Title

Duplicator 0.5.8 - Privilege Escalation

Published

2025-05-05

Title

BuddyBoss Platform Pro < 2.7.10 - Authentication Bypass via Apple OAuth provider

Published

2024-01-17

Title

Web3 – Crypto wallet Login & NFT token gating < 3.0.0 - Authentication Bypass

Published

2024-12-03

Title

Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Social Sites Login < 1.8 - Authentication Bypass via WordPress.com OAuth provider