CVE-2021-34624 Scanner

ProfilePress is a WordPress plugin widely used for user registration, login, and profile management functionality on WordPress websites. It is typically deployed by website administrators and developers seeking a comprehensive solution to manage member areas or user-centric sites with ease. The plugin integrates smoothly with WordPress to offer customizable user interfaces and features like email notifications, frontend login, registration forms, and custom redirects after login. Its use spans across various industries and types of websites, enhancing user experience with robust member management capabilities. Due to its ease of use and comprehensive features, ProfilePress is a popular choice among website administrators looking to implement member-only content and social login capabilities.

The Arbitrary File Upload vulnerability in ProfilePress involves the unauthorized uploading of files through the plugin's file uploader component. This vulnerability allows unauthenticated users to upload any file to the server, bypassing security checks, which can potentially lead to the execution of malicious code. The flaw exists in versions 3.0.0 to 3.1.3 of the plugin, specifically in the ~/src/Classes/FileUploader.php file. Exploiting this vulnerability could provide attackers with significant control over a website, thereby posing a severe risk to web servers. The critical nature of the vulnerability is marked by the ease of exploitation without requiring any authentication or user interaction.

The vulnerability stems from inadequate validation and sanitization of user-uploaded files in the ProfilePress plugin. The '/wp-admin/admin-ajax.php' endpoint does not restrict or validate the type of files users can upload, allowing malicious actors to submit PHP files as profile or registration updates. Parameters like 'files' and 'action' are vulnerable as they do not implement checks on file types or content. Attackers can craft HTTP POST requests with specific boundary markers to deliver payloads that exploit this input handling flaw. Successful exploitation returns a status code 200, and uploaded files can be accessed in '/wp-content/uploads/pp-files/' directory.

Exploitation of the Arbitrary File Upload vulnerability can lead to complete server compromise. Attackers can upload and execute scripts that provide shell access or establish backdoors, facilitating further infiltration into the hosting environment. This leaves sensitive user data, server resources, and site reputation at risk. The website might be used to host phishing pages, distribute malware, or even become part of a botnet for larger attacks. Site downtime, data breaches, and damage to business operations are probable consequences, highlighting the importance of addressing this vulnerability immediately.

REFERENCES

• https://wpscan.com/vulnerability/e12448ec-84a0-46aa-b280-5d9a80ee1e41/