Profile Builder < 3.4.9 – Admin Access via Password Reset | CVE 2021-24527

Description

The plugin has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.

Proof of Concept

The password reset key is checked against the password recovery key but it runs through "sanitize_text_field" so we have a bypass where we can pass the key as something we know the sanitize function will strip like a tag <a> and this will get us past the empty() checks and then check the DB for an empty string, usually this will be the first user with ID 1 which is the admin, so if their password recovery key is empty we can change thier pass to our desired pass just with the URL http://localhost/rr/?key=<a>

1. Visit the password reset page of the plugin (ie where the [wppb-recover-password] is embed).
2. Add this to the URL "?key=<a>"
The sanitization function will strip HTML but this will pass the empty() check as the variable contains something.
3. Enter the password twice in the password reset form and submit, this will reset the admin password to the password you entered.