Nasty WordPress plugin bugs could allow attackers to register as site admins
Users urged to update to patched version
Security researchers have discovered critical yet easily exploitable vulnerabilities in a popular WordPress plugin that can be abused to upload arbitrary files to affected websites.
In their breakdown of the vulnerability, researchers from Wordfence, which develops security solutions to protect WordPress installations, note that the affected plugin is installed on over 400,000 websites.
The ProfilePress plugin, earlier known as WP User Avatar, enables admins to design user profile pages, and create frontend forms for user registration. It also helps protect sensitive content and control user access.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
- We've built a list of the best managed WordPress hosting providers
- These are the best web hosting services for your website
- Also take a look at these best WordPress themes
Wordfence notes that the vulnerabilities could also be exploited by attackers to register themselves as a site administrator, even if the real admins had disabled user registration.
Improper implementation
According to Wordfence, although the ProfilePress plugin came into existence as a means to upload user profile photos, it recently metamorphosed into its current form and took on new user login and registration features.
Unfortunately, however, the new features weren’t properly coded and the vulnerabilities were introduced.
For instance, the plugin didn’t prevent users from supplying arbitrary metadata during the registration process, which Wordfence exploited to escalate their user privileges to that of an administrator’s.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The same could also be done in the update profile function. However, since there was no check to validate whether user registration was enabled on the site, attackers didn’t need to compromise an existing account, and could take over the website without much effort.
Wordfence reported these vulnerabilities to ProfilePress around the end of May. The company responded swiftly, plugging the bugs with a patch (v3.1.4) within in a couple of days.
To shield against attack, users running vulnerable versions (3.0-3.1.3) are urged to update immediately.
- Check our collection of the best WordPress security plugins
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.