Critical vulnerabilities in ProfilePress: FWP User Avatar WordPress plugin allow cyber criminals to hack a website

A set of security flaws in ProfilePress, a popular WordPress plugin would allow threat actors to deploy remote code execution attacks. According to Wordfence experts, a total of four security flaws were detected that received a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale and their successful exploitation would allow hackers to take full control of the affected website.

The affected plugin allows users to upload profile images very easily and has more than 40 thousand active installations. Although at the time of its release its only function was the upload of images, some updates added new features, such as logins and user registration. Security flaws reside in such updates.

The first of the flaws was described as a privilege escalation vulnerability: “During registration, users could provide arbitrary metadata that would be updated in this process; this includes wp_capabilities, which controls the user’s capabilities. A threat actor could pass data wp_capabilities specially designed, allowing it to take on any role, including administrator.”

The following flaw was also described as a privilege escalation bug that resides in the user profile update functionality. Privilege escalation is achieved in a similar way to the previous flaw, although it requires threat actors to have an active account on the target website.

The third error exists because ProfilePress incorrectly implemented the image upload feature using the exif_imagetype function to determine whether the uploaded files are safe or not. Hackers could abuse this error by loading a webshell in order to execute remote code and arbitrary commands on the server.

Finally, Wordfence reported the finding of an arbitrary file load in the “custom fields” functionality. Exploiting this flaw would allow remote code execution.

The flaws were presented to those responsible for the plugin in late May and WordPress announced the release of an update days later. ProfilePress users are encouraged to upgrade to v3.1.8 to mitigate operational risks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.