Profile Builder - front-end user registration, login and edit profile [Privilege Escalation]

Description

This was first reported by itsabhineet in WordPress support forums. This guy didn’t really realized that he was posting a security issue. The topic was deleted by WordPress team.

Plugin Profile Builder registers shortcode wppb-register that allows users to create a page with a registration form. This shortcode has the option role which obviously sets the newly registered user role to the value provided.

The problem arises when a user that can create a post type that can contain shortcodes, creates a post containing this shortcode with the role attribute set to administrator.

PoC

1. Create a post with a user that can create posts (contributor, author etc).
2. Add the shortcode [wppb-register role="administrator"]
3. Logout and register a new user

The new user will be created as an administrator

Solution

Upgrade to v2.3.6

---

WordPress Plugins Privilege Escalation

---

INFO

• 10 May 2016
• Pan Vag
• www.cozmoslabs.com
• Profile Builder - front-end user registration, login and edit profile
• 2.3.6
• WordPress 4.5
• DWF-2016-87034