Profile Builder by Cozmoslabs WordPress plugin Privilege Escalation
REPORT ID: 512e7307-04a5-4d8b-8f79-f75f37784a9f
The plugin contains an Insecure Password Reset Mechanism and a Sensitive Information Disclosure via Shortcode vulnerability, which leads to Privilege Escalation. The plugin has an improperly used method allowing to reset the user password, and gain unauthorized access. The key required for password reset, which is stored in the database, can be retrieved with the plugin’s shortcode as an authenticated user.
Let’s check the plugin
The wppb_toolbox_usermeta_handler() function gets user meta with the following code:
$value = $user->get( $atts['key'] );
There are no restrictions on what user meta values can be queried.
The wppb_front_end_password_recovery() function handles the password reset with the following code:
$key = sanitize_text_field( $_POST['key'] );
$user_object = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key ) );
The problem is that it queries the user directly using the hashed activation key.
Note: In the core method, the key is sent via email to the user and then stored as hashed in the database. During password reset, the key sent via email is hashed and compared with the database stored hashed key for security reasons, as it prevents abuse of the stored hashed key in the database.
Let’s configure the plugin
In the Profile Builder Settings, select the “Yes” option for “Enable Usermeta shortcode” at “Advanced Settings” tab at “Shortcodes” subtab.
This setting allows the website to use the [user_meta] shortcode.
Let’s create a Recover Password page and add the following shortcode to it:
[wppb-recover-password]
Let’s see how we can exploit this vulnerability
There is an AJAX parser for getting the value of the shortcode, which can be exploited with a logged-in user.
I created a Python script that returns the user_activation_key:
If the key is correct, we use the form to change the user’s password using the password and repeat password fields.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Profile Builder by Cozmoslabs WordPress plugin Privilege Escalation
REPORT ID: 512e7307-04a5-4d8b-8f79-f75f37784a9f
The plugin contains an Insecure Password Reset Mechanism and a Sensitive Information Disclosure via Shortcode vulnerability, which leads to Privilege Escalation. The plugin has an improperly used method allowing to reset the user password, and gain unauthorized access. The key required for password reset, which is stored in the database, can be retrieved with the plugin’s shortcode as an authenticated user.
Let’s check the plugin
The
wppb_toolbox_usermeta_handler()
function gets user meta with the following code:There are no restrictions on what user meta values can be queried.
The
wppb_front_end_password_recovery()
function handles the password reset with the following code:The problem is that it queries the user directly using the hashed activation key.
Note: In the core method, the key is sent via email to the user and then stored as hashed in the database. During password reset, the key sent via email is hashed and compared with the database stored hashed key for security reasons, as it prevents abuse of the stored hashed key in the database.
Let’s configure the plugin
In the Profile Builder Settings, select the “Yes” option for “Enable Usermeta shortcode” at “Advanced Settings” tab at “Shortcodes” subtab.
This setting allows the website to use the
[user_meta]
shortcode.Let’s create a Recover Password page and add the following shortcode to it:
Let’s see how we can exploit this vulnerability
There is an AJAX parser for getting the value of the shortcode, which can be exploited with a logged-in user.
I created a Python script that returns the
user_activation_key
:the script returns the user activation key as a string:
Then we can use the key for password reset.
For this, we have to open the Recover Password page, and add the key parameter to it:
If the key is correct, we use the form to change the user’s password using the password and repeat password fields.
Try it
Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.
Website: https://lana.solutions/vdb/cozmoslabs-profile-builder/
References
Let's discuss
Attributes
Classification
Researcher
Tags
exploit password reset php privilege escalation sensitive information disclosure shortcode wordpress pluginSupport Us?
We would truly appreciate it if you bought us a bunny (food for a snow leopard).