Login Sign Up

CVE-2023-3342

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

The User Registration WordPress plugin allows authenticated attackers with subscriber-level access or higher to upload arbitrary files due to a hardcoded encryption key and missing file type validation. This vulnerability affects versions up to 3.0.2 and can lead to remote code execution on vulnerable WordPress sites.

💻 Affected Systems

Products:
  • WordPress User Registration plugin
Versions: Up to and including 3.0.2
Operating Systems: All platforms running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with at least subscriber-level permissions. Partially patched in 3.0.2, fully fixed in 3.0.2.1.

📦 What is this software?

User Registration by Wpeverest

View all CVEs affecting User Registration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to other systems.

🟠

Likely Case

Website defacement, malware distribution, credential theft, or data exfiltration through uploaded malicious files.

🟢

If Mitigated

Limited impact with proper file upload restrictions and monitoring, potentially only affecting the specific plugin directory.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available. Requires authenticated access but subscriber-level permissions are sufficient.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.2.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2933689/user-registration/trunk/includes/functions-ur-core.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'User Registration' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 3.0.2.1 from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable plugin

all

Temporarily disable the User Registration plugin until patched

wp plugin deactivate user-registration

Restrict file uploads

linux

Add server-side restrictions on file uploads in the plugin upload directory

chmod 755 /path/to/wp-content/uploads/user_registration/
find /path/to/wp-content/uploads/user_registration/ -type f -name '*.php' -delete

🧯 If You Can't Patch

  • Remove subscriber upload capabilities or restrict to trusted users only
  • Implement web application firewall rules to block suspicious file uploads to the plugin endpoint

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for User Registration plugin version. If version is 3.0.2 or lower, you are vulnerable.

Check Version:

wp plugin get user-registration --field=version

Verify Fix Applied:

Verify plugin version shows 3.0.2.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed/successful file uploads to /wp-admin/admin-ajax.php with action=ur_upload_profile_pic
  • Unusual file types (.php, .exe, .sh) in uploads/user_registration/ directory

Network Indicators:

  • POST requests to /wp-admin/admin-ajax.php with file uploads and action parameter containing 'ur_upload_profile_pic'

SIEM Query:

source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND method="POST" AND action="ur_upload_profile_pic" AND file_extension IN ("php", "exe", "sh", "py")

📊 Metadata

CVE ID: CVE-2023-3342
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: July 13, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON