Nasty WordPress plugin bugs could allow attackers to register as site admins

Users urged to update to patched version

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security researchers have discovered critical yet easily exploitable vulnerabilities in a popularWordPress pluginthat can be abused to upload arbitrary files to affected websites.

In their breakdownof the vulnerability, researchers from Wordfence, which develops security solutions to protectWordPressinstallations, note that the affected plugin is installed on over 400,000 websites.

The ProfilePress plugin, earlier known as WP User Avatar, enables admins to design user profile pages, and create frontend forms for user registration. It also helps protect sensitive content and control user access.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

Wordfence notes that the vulnerabilities could also be exploited by attackers to register themselves as a site administrator, even if the real admins had disabled user registration.

Improper implementation

Improper implementation

According to Wordfence, although the ProfilePress plugin came into existence as a means to upload user profile photos, it recently metamorphosed into its current form and took on new user login and registration features.

Unfortunately, however, the new features weren’t properly coded and the vulnerabilities were introduced.

For instance, the plugin didn’t prevent users from supplying arbitrary metadata during the registration process, which Wordfence exploited to escalate their user privileges to that of an administrator’s.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The same could also be done in the update profile function. However, since there was no check to validate whether user registration was enabled on the site, attackers didn’t need to compromise an existing account, and could take over the website without much effort.

Wordfence reported these vulnerabilities to ProfilePress around the end of May. The company responded swiftly, plugging the bugs with a patch (v3.1.4) within in a couple of days.

To shield against attack, users running vulnerable versions (3.0-3.1.3) are urged to update immediately.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Squarespace just launched its biggest update ever. I asked what that means for your business

Shopify just made it easier to access all your financial tools in one place

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)