Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Easily Exploitable Critical Vulnerability in ProfilePress Plugin of WordPress
Numan Rajkotiya - SecureLayerPosted 4 Years Ago- ProfilePress, better known (and more clear) as User Avatar, is installed on 400K sites. During the registration process, users could supply metadata about themselves that was directly added to the user information.
- This seems fine and dandy for fun customization. However, it has a deadly issue: the metadata was not validated for security threats. By setting metadata about the
wp_capabilitiesof a user, it was possible to set the users role on the website, such as admin. - To make matters worse, this endpoint does not even validate if registration is enabled on the site. Hence, this can be exploited even if the feature is not turned on. Damn!
- The endpoint takes in an array of user input. By passing in
wp_capabilities[administrator]=1in the request, we have poisoned the metadata of the user registration. Complete game over! - This bug requires a good understanding of how Wordpress works. I personally may not have found this right away simply because I would not have thought about the metadata being this important for the user creation.
