CVE-2024-6695 (CVSS 9.8) in Popular WordPress Plugin Exposes 50,000 Sites to Admin Hijacking

Security researcher John Castro has uncovered a critical vulnerability (CVE-2024-6695) in Profile Builder, a widely used WordPress plugin with over 50,000 active installations. This flaw, rated 9.8 on the CVSS scale, could potentially allow malicious actors to seize administrative control of vulnerable websites without requiring any existing user account.

The vulnerability in question allows attackers to gain administrative access to a WordPress site without needing an account. This privilege escalation issue arises from inconsistencies in how the plugin handles user-provided email information during the registration process.

During standard registration, once a user successfully creates an account, they are automatically logged in with the subscriber role. The plugin performs several checks to validate the email and ensure the user is not already registered. However, it is during this automatic login process that the flaw becomes exploitable.

After the user object is retrieved using the email address, a security nonce is generated. This nonce, along with the user ID, is used to log the user in with the corresponding privileges. The inconsistency in handling email validation at various stages allows an attacker to manipulate this process, potentially gaining administrative access without any prior account on the targeted site.

While the CVE-2024-6695 vulnerability has been patched, a proof of concept demonstrating the exploit is expected to be released on August 5th, 2024. This release could potentially trigger a wave of attacks targeting websites that have not yet updated their Profile Builder plugin.

Website owners utilizing the Profile Builder plugin are strongly urged to update to version 3.11.9 immediately. This update addresses the vulnerability and prevents potential exploitation.