CVE CyberSecurity Database News

CVE-2021-24649: WP User Frontend WordPress Plugin Role Assignment Vulnerability

Poster -

The WP User Frontend WordPress plugin version 3.5.28 and below has been identified to contain a critical vulnerability that can allow an attacker to gain administrator access to the site. CVE-2021-24649 has been assigned to this vulnerability. This article will provide a detailed analysis of the issue, code snippet, links to original references, and exploit details.

The Vulnerability

The WP User Frontend plugin allows users to register using a frontend registration form. During the registration process, the plugin uses a user-supplied argument called "urhidden" in the registration form, which contains the role assigned to the account being created, encrypted via wpuf_encryption() function. An attacker having access to AUTH_KEY and AUTH_SALT constants can create an account with any role they want, including an admin role.

Researchers have found that if the blog is using the default or predictable AUTH_KEY and AUTH_SALT constants or if an attacker can access these constants via other vulnerabilities, it would be possible for the attacker to create a user account with administrator privileges. This would give them full control over the site.

Code Snippet

The following code snippet illustrates how the WP User Frontend plugin uses wpuf_encryption() function to encrypt the "urhidden" argument during the registration process:

$hidden_role = isset( $_POST['urhidden'] ) ? $_POST['urhidden'] : '';

if ( ! empty( $hidden_role ) ) {
    $role = wpuf_decryption( $hidden_role );
} else {
    $role = $this->default_role_maybe_mapping( $form_id );
}

The wpuf_encryption() function uses the mcrypt or OpenSSL library to encrypt and protect sensitive information like the user role using the AUTH_KEY and AUTH_SALT constants:

function wpuf_encryption( $string ) {
    // ...
    $encrypted = mcrypt_generic(
            mcrypt_module_open( MCRYPT_BLOWFISH, '', MCRYPT_MODE_ECB, '' ),
            substr( AUTH_KEY . AUTH_SALT, , 448 / 8 ), $string,
            MCRYPT_MODE_ECB,
            mcrypt_create_iv( mcrypt_get_iv_size( MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB ), MCRYPT_RAND )
    );
    // ...
    return $encrypted;
}

Exploit Details

To exploit this vulnerability, an attacker would first need to obtain the AUTH_KEY and AUTH_SALT constants used by the target site. This can be done via an arbitrary file read vulnerability, for example. In addition, if the site is using the default keys, the attacker can easily guess these constants.

After obtaining the AUTH_KEY and AUTH_SALT constants, the attacker can craft a frontend registration form to include the "urhidden" argument with an encrypted value corresponding to the administrator role. Once the crafted form is submitted successfully, an account with an administrator role will be created, allowing the attacker to take control of the site.

Original References

1. WP User Frontend plugin: https://wordpress.org/plugins/wp-user-frontend/
2. Vulnerability report: https://wpscan.com/vulnerability/81d45bcc-5684-45db-9c4a-c2baaeecd387

Mitigation

Upgrade to WP User Frontend version 3.5.29 or later to fix this vulnerability. If upgrading is not immediately possible, consider using an alternative plugin or disabling user registrations.

In addition, ensure that strong, unique AUTH_KEY and AUTH_SALT constants are used for your site to minimize the risk of attackers guessing these values.

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:43:00 UTC