WordPress Plugin Vulnerabilities
Profile Builder < 3.4.9 - Admin Access via Password Reset
Description
The plugin has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.
Proof of Concept
The password reset key is checked against the password recovery key but it runs through "sanitize_text_field" so we have a bypass where we can pass the key as something we know the sanitize function will strip like a tag <a> and this will get us past the empty() checks and then check the DB for an empty string, usually this will be the first user with ID 1 which is the admin, so if their password recovery key is empty we can change thier pass to our desired pass just with the URL http://localhost/rr/?key=<a> 1. Visit the password reset page of the plugin (ie where the [wppb-recover-password] is embed). 2. Add this to the URL "?key=<a>" The sanitization function will strip HTML but this will pass the empty() check as the variable contains something. 3. Enter the password twice in the password reset form and submit, this will reset the admin password to the password you entered.
Affects Plugins
Fixed in 3.4.9 References
CVE
Classification
Type
AUTHBYPASS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Stiofan
Submitter
Stiofan
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-19 (about 2 years ago)
Added
2021-07-19 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)
WPScan 