7,000 WordPress Sites Affected by Privilege Escalation Vulnerability in ProfileGrid WordPress Plugin

šŸ“¢ Did you know Wordfence runs aĀ Bug Bounty ProgramĀ for all WordPress plugin and themes at no cost to vendors?Ā Researchers can earnĀ up to $10,400,Ā for all in-scope vulnerabilities submittedĀ to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers!Ā 

On June 27th, 2024, during the 0-day Threat Hunt Promo of our Bug Bounty Program, we received a submission for a Privilege Escalation vulnerability in ProfileGrid, a WordPress plugin with more than 7,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level access and above, to grant themselves administrative privileges by updating user metadata.

Props to Tieu Pham Trong Nhan (aptx4869) who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $488.00 for this discovery during the 0-day Threat Hunt Promo. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on July 3, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on August 2, 2024.

We contacted Metagauss on July 1, 2024, and received a response on July 2, 2024. After providing full disclosure details, the developer released a patch on July 3, 2024. We would like to commend Metagauss for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of ProfileGrid, which is version 5.9.0, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: ProfileGrid ā€“ User Profiles, Groups and Communities <= 5.8.9 ā€“ Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
Affected Plugin: ProfileGrid ā€“ User Profiles, Groups and Communities
Plugin Slug: profilegrid-user-profiles-groups-and-communities
Affected Versions: <= 5.8.9
CVE ID: CVE-2024-6411
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Tieu Pham Trong Nhan (aptx4869), Truoc Phan
Fully Patched Version: 5.9.0
Bounty Award: $488.00

The ProfileGrid ā€“ User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.8.9. This is due to a lack of validation on user-supplied data in the ā€˜pm_upload_imageā€™ AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their user capabilities to Administrator.

Technical Analysis

ProfileGrid is a WordPress user profile and membership plugin, which includes many features, such as profiles, groups, communities, paid memberships, directories, private messaging and much more.

Examining the code reveals that the plugin uses the pm_upload_image() function in the Profile_Magic_Public class to upload, edit or delete the userā€™s profile picture. Unfortunately, this function was implemented insecurely, allowing all authenticated users to modify their capabilities, including granting themselves administrator capabilities.

$this->loader->add_action( ‘wp_ajax_pm_upload_image’, $plugin_public, ‘pm_upload_image’ );
public function pm_upload_image() {
require ‘partials/crop.php’;
die;
}

More specifically, the AJAX function loads the crop.php file, which contains the request processing.

$post = $pm_sanitizer->sanitize( $_POST );
update_user_meta($post[‘user_id’],$post[‘user_meta’],$post[‘attachment_id’]);

The most significant problem and vulnerability is caused by the fact that there are no restrictions on the userā€™s profile picture attachment meta key that is updated during a crop request, so the userā€™s metadata can be updated arbitrarily, and there is no text or array sanitization on the field value, so even an array value can be set, which is necessary for the capability meta option.

This made it possible for authenticated users, such as subscribers, to supply the ā€˜wp_capabilitiesā€™ array parameter with any desired capabilities, such as administrator, during the userā€™s profile picture update. This would update the ā€˜wp_capabilitiesā€™ user metadata value which controls what role and capabilities a user has on a WordPress site.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and to modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

June 27, 2024 ā€“ We received the submission for the Privilege Escalation vulnerability in ProfileGrid via the Wordfence Bug Bounty Program.
June 28, 2024 ā€“ We validated the report and confirmed the proof-of-concept exploit.
July 1, 2024 ā€“ We initiated contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
July 2, 2024 ā€“ The vendor confirmed the inbox for handling the discussion.
July 2, 2024 ā€“ We sent over the full disclosure details. The vendor acknowledged the report and began working on a fix.
July 3, 2024 ā€“ Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
July 3, 2024 ā€“ The fully patched version of the plugin, 5.9.0, is released.
August 2, 2024 ā€“ Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the ProfileGrid plugin affecting versions 5.8.9 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 5.9.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of ProfileGrid.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on July 3, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on August 2, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 7,000 WordPress Sites Affected by Privilege Escalation Vulnerability in ProfileGrid WordPress Plugin appeared first on Wordfence.

Leave a Comment