CVE-2024-3295: Unauthorized Data Loss in User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin

Introduction: Security Vulnerability Found in Popular WordPress Plugin

It was recently discovered that the "User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin" has a significant security flaw, which potentially affects thousands of WordPress sites. The plugin, which is used to create custom user registration forms, login forms, and user profiles, is found to be vulnerable to unauthorized loss of data. This security vulnerability is specific to the plugin in versions up to, and including, 3.1.5.

The issue (CVE-2024-3295) identified is that the plugin fails to perform a capability check on the profile_pic_remove function, allowing unauthenticated attackers to delete any media file. In this post, we will discuss the details of this vulnerability and review the code affected, along with providing additional references and information on how to mitigate the risk.

Vulnerability Details: What's Wrong With The Plugin?

The profile_pic_remove function in "User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin" is vulnerable due to a missing capability check, which is a crucial security feature in any application. This vulnerability makes it possible for an unauthenticated attacker to delete any media file on a website using the plugin.

The problem occurs because the plugin does not verify that the user account attempting to remove a media file has the necessary permissions to do so. Consequently, unauthenticated attackers can exploit the flaw by sending a specially crafted request to the vulnerable function, leading to unauthorized access and loss of data.

Code Snippet: An In-Depth Look At The Vulnerability

Here is a snippet of the vulnerable code in the plugin

function profile_pic_remove() {
    $user_id = $_POST['user_id'];
    $media_id = $_POST['media_id'];
    $nonce = $_POST['nonce'];
    
    if (wp_verify_nonce( $nonce, 'profile_pic_remove'.$user_id )) {
        wp_delete_attachment( $media_id, true );
        update_user_meta( $user_id, 'profile_picture', '' );        
    }
}

As shown in the code snippet above, the plugin does not perform a capability check or verify that the user making the request is authorized to delete media files. Consequently, a malicious attacker can easily exploit this vulnerability.

Original References

For more information and the latest updates regarding this vulnerability, please refer to the following resources:

1. CVE-2024-3295
2. Plugin's Official Announcement

Exploit Details: How To Safeguard Your WordPress Site

To protect your WordPress site from this security flaw, it is strongly recommended that you update the "User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin" to the latest version 3.1.6 or higher. This latest version of the plugin addresses the vulnerability and includes necessary security measures to prevent unauthorized data loss.

In conclusion, security vulnerabilities like CVE-2024-3295 can pose a significant risk to your WordPress site, making it essential to keep your plugins updated and stay informed about the latest security developments in the WordPress community. Regularly reviewing the security status of your site and sticking to recommended practices can help ensure your website remains safe and secure.

Timeline

Published on: 05/02/2024 17:15:24 UTC
Last modified on: 05/02/2024 18:00:37 UTC