WordPress Plugin Vulnerabilities

Profile Builder < 3.9.8 - Unauthenticated Plugin's Pages Creation

Description

The plugin lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog

Proof of Concept

1. Access the URL: https://example.com/wp-admin/admin-post.php?page=profile-builder-basic-info&wppb_create_pages=true&wppb_force_create_pages=true 
2. As a logged in user, see that the pages `/register`, `/log-in`, and `/edit-profile` have been created.

Affects Plugins

Plugin icon
profile-builder
Fixed in 3.9.8

References

CVE
CVE-2023-4059

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Mesh3l_911
Submitter
Mesh3l_911
Submitter website
https://mesh3l911.github.io/tabs/about/
Submitter twitter
mesh3l_911
Verified
Yes
WPVDB ID
fc719d12-2f58-4d1f-b696-0f937e706842

Timeline

Publicly Published
2023-08-09 (about 3 months ago)
Added
2023-08-09 (about 3 months ago)
Last Updated
2023-08-09 (about 3 months ago)

Other

Published
Title
Published
2022-09-29
Title
Redirection for Contact Form 7 < 2.6.0 - Unauthenticated Options Update to Stored XSS
Published
2023-01-10
Title
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Import
Published
2022-05-27
Title
Plausible Analytics < 1.2.4 - Subscriber+ Arbitrary Settings Update
Published
2022-07-11
Title
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
Published
2023-02-27
Title
Wholesale Suite < 2.1.5.1 - Subscriber+ Missing Authorization for Plugin Settings Change