Password Recovery page with ‘key’ query parameter set to retrieved value. Image credit: wordfence
A recently discovered security vulnerability in the Cozmolabs Profile Builder WordPress plugin has raised significant concerns for users of the popular plugin, which boasts over 60,000 active installations.
Uncovering the Cozmolabs Profile Builder Vulnerability
The vulnerability, assigned CVE-2023-0814 with a CVSS score of 6.4, was brought to light by WordPress vulnerability researcher István Márton, who responsibly disclosed the issue to the Wordfence Threat Intelligence team. The flaw stems from a missing authorization check in the wppb_toolbox_usermeta_handler() function, allowing threat actors to exploit the vulnerability and gain elevated privileges by taking over arbitrary accounts.
Analyzing the Vulnerability
The vulnerability is rooted in the user_meta shortcode callback function, which accepts an array of attributes, including the user_id attribute used to create a new user object. The key attribute is subsequently used in a call to $user->get(), and the function returns the value of the retrieved key for the given user_id.
Notably, the plugin does not properly implement capability checks during this process, meaning that any authenticated user with subscriber-level permissions or higher can exploit the vulnerability by sending a specially crafted HTTP POST request to the wp-admin/admin-ajax.php endpoint.
From Password Reset to Privilege Escalation
The Profile Builder plugin features a password recovery form through the [wppb-recover-password] shortcode. Users can submit their username or email address to receive an email containing a password reset link with a user activation key, which is stored in the user_activation_key column in the WordPress database. Exploiting CVE-2023-0814, threat actors can retrieve this key for any user.
To do so, the attacker first generates the user activation key by submitting the targeted user’s username or email address in the password recovery form. Next, they make a POST request with the user_id set to the targeted user ID and the key attribute set to user_activation_key. Once the attacker has obtained the user activation key, they can reset the targeted user’s password and subsequently log in with the new credentials, effectively taking over the account.
Protecting Your WordPress Site
To safeguard your WordPress site against this security vulnerability, admins are recommended to update the Cozmolabs Profile Builder plugin to the latest version (3.9.2).
