CVE-2021-34621
📋 TL;DR
This critical vulnerability in the ProfilePress WordPress plugin allows unauthenticated attackers to register new user accounts with administrator privileges. It affects WordPress sites running ProfilePress versions 3.0.0 through 3.1.3, enabling complete site takeover.
💻 Affected Systems
- WordPress ProfilePress Plugin
📦 What is this software?
Profilepress by Properfraction
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of WordPress site with attacker gaining full administrative control, allowing content modification, plugin/theme installation, data theft, and further server compromise.
Likely Case
Attackers create administrator accounts to deface websites, inject malicious content, steal sensitive data, or install backdoors for persistent access.
If Mitigated
With proper monitoring and immediate response, impact limited to temporary site disruption and cleanup of unauthorized accounts.
🎯 Exploit Status
Public exploit code available, requires no authentication, and can be automated for mass exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.4
Vendor Advisory: https://wordpress.org/plugins/wp-user-avatar/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find ProfilePress plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and delete plugin, then install version 3.1.4+ from WordPress repository
🔧 Temporary Workarounds
Disable User Registration
allTemporarily disable user registration functionality in WordPress settings
Navigate to Settings → General in WordPress admin and uncheck 'Anyone can register'
Deactivate ProfilePress Plugin
allImmediately disable the vulnerable plugin until patched
Navigate to Plugins → Installed Plugins in WordPress admin, find ProfilePress, and click 'Deactivate'
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block user registration requests to ProfilePress endpoints
- Enable detailed logging of all user registration attempts and monitor for suspicious administrator account creation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find ProfilePress and verify version is between 3.0.0 and 3.1.3Check Version:
wp plugin list --name=profilepress --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm ProfilePress version is 3.1.4 or higher in WordPress plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual user registration events, especially with administrator role assignment
- Multiple failed registration attempts followed by successful admin registration
- User accounts created with timestamps close together from same IP
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=pp_ajax_signup or similar ProfilePress registration endpoints
- HTTP requests containing user_role=administrator in registration parameters
SIEM Query:
source="wordpress.log" AND ("pp_ajax_signup" OR "profilepress" OR "user registration") AND ("administrator" OR "role=1")🔗 References
- http://packetstormsecurity.com/files/163973/WordPress-ProfilePress-3.1.3-Privilege-Escalation.html
- https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
- http://packetstormsecurity.com/files/163973/WordPress-ProfilePress-3.1.3-Privilege-Escalation.html
- https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/
