Quartet of essential internet safety flaws plague CMS software program
4 safety points, which had been all assigned a excessive CVSS rating of 9.8, had been found in Might by researchers from Wordfence.
These flaws made it doable for an attacker to escalate consumer privileges and add malicious code – ensuing within the full takeover of a WordPress web site.
The plugin in query is ProfilePress – previously named WP Person Avatar – which facilitates the importing of WordPress consumer profile pictures. The know-how has greater than 40,000 installs, in accordance with Wordfence.
Initially, as explained in an advisory from Wordfence, its solely performance was to add images, nonetheless a latest change noticed the plugin augumented with new options together with consumer login and registration.
It was flaws within the safety of those characteristic updates that resulted within the vulnerabilities.
The primary concern was a privilege escalation flaw. Wordfence defined: “Throughout consumer registration, customers may provide arbitrary consumer meta knowledge that might get up to date throughout the registration course of.
“This included the consumer meta that controls a consumer’s capabilities and position. This made it doable for a consumer to provide as an array parameter whereas registering, which might grant them the equipped capabilities, permitting them to set their position to any position they needed, together with administrator.”
There was no method to validate that consumer registration was enabled on the positioning, which means customers may register as an administrator even on websites the place consumer registration was disabled.
Attackers may due to this fact “fully take over” a weak WordPress web site with little effort.
Subsequent up comes a privilege escalation bug (CVE-2021-34622) within the consumer profile replace performance, which used the identical technique as above, however did require an attacker to have an account on a weak web site to ensure that the exploit to work.
“Nevertheless, for the reason that registration operate didn’t validate if consumer registration was enabled, a consumer may simply join and exploit this vulnerability, in the event that they weren’t capable of exploit the privilege escalation vulnerability throughout registration,” in accordance with Wordfence.
One other vulnerability current was arbitrary file add within the picture uploader part (CVE-2021-34623). The picture uploader in ProfilePress was insecurely carried out utilizing the operate to find out whether or not a file was protected or not.
An attacker may disguise a malicious file by importing a spoof file which might bypass the verify.
This might be exploited to add a webshell that might permit an attacker to RCE and run instructions on a server, attaining full web site takeover.
One other arbitrary file add vulnerability (CVE-2021-34624) within the plugin’s “customized fields” performance, which additionally checks for malicious recordsdata, might be exploited to realize RCE.
The essential vulnerabilities had been reported to WordPress on Might 27, and a patch was launched by Might 30.
Wordfence mentioned they “advocate that customers instantly replace to the most recent model accessible” of WordPress, at present model 3.1.8. Susceptible variations embrace 3.1 – 3.1.3.