WordPress Plugin Vulnerability Report – User Profile Builder – Cross-Site Request Forgery via pms-cross-promotion.php
Plugin Name: User Profile Builder
Key Information:
- Software Type: Plugin
- Software Slug: profile-builder
- Software Status: Active
- Software Author: reflectionmedia
- Software Downloads: 3,998,068
- Active Installs: 50,000
- Last Updated: November 7, 2023
- Patched Versions: 3.10.4
- Affected Versions: <= 3.10.3
Vulnerability Details:
- Name: Profile Builder <= 3.10.4 - Cross-Site Request Forgery via pms-cross-promotion.php
- Title: Cross-Site Request Forgery via pms-cross-promotion.php
- Type: Cross-Site Request Forgery (CSRF)
- CVSS Score: 7.1 (High)
- Publicly Published: November 7, 2023
- Description: The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.10.3. This is due to missing or incorrect nonce validation on the wppb_activate_pms_plugin and wppb_deactivate_pms_plugin functions. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Summary:
The User Profile Builder for WordPress has a vulnerability in versions up to and including 3.10.3 that allows unauthenticated attackers to activate and deactivate arbitrary plugins via forged requests. This vulnerability has been patched in version 3.10.4.
Detailed Overview:
A cross-site request forgery (CSRF) vulnerability was recently disclosed in the User Profile Builder plugin that could allow attackers to activate or deactivate any plugin on a site running a vulnerable version. This is due to missing nonce validation on the wppb_activate_pms_plugin and wppb_deactivate_pms_plugin functions that are used to activate and deactivate the Paid Member Subscriptions add-on. Without proper nonce validation, an attacker could craft requests targeting these functions and trick an admin into clicking a link or visiting a page that would automatically trigger the request. This could lead to plugins being activated or deactivated without the admin's consent. Versions 3.10.3 and below are affected. The developer has patched this issue in version 3.10.4 by adding proper nonce validation. All users are strongly advised to update as soon as possible.
Advice for Users:
- Immediate Action: Update to version 3.10.4 or higher as soon as possible.
- Check for Signs of Vulnerability: Review your plugins to see if any have been unexpectedly activated or deactivated.
- Alternate Plugins: Consider using an alternate user registration and profile management plugin like User Registration or WP User Avatar as a precaution.
- Stay Updated: Always keep your WordPress plugins updated to the latest versions. Sign up for update notifications from the plugin repository.
Conclusion:
The prompt response from the plugin developers to patch this vulnerability is appreciated. Users are strongly advised to update to version 3.10.4 immediately to secure their WordPress installations against potential CSRF attacks leveraging this issue.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/profile-builder
Detailed Report:
Keeping your WordPress website secure should be a top priority for any website owner. Unfortunately, vulnerabilities in popular plugins can put your site at risk if left unpatched. One such vulnerability was recently disclosed in the User Profile Builder plugin that allowed unauthenticated cross-site request forgery (CSRF). This means an attacker could potentially activate or deactivate plugins on your site without your consent.
While this vulnerability has now been patched, many users may still be running older, vulnerable versions of the plugin. If you use User Profile Builder, it is crucial you update to the latest version as soon as possible. Don’t let your hard work building a WordPress site be undone by lax security practices.
In this post we’ll explain the technical details of this vulnerability, how it puts your site at risk, and what you need to do to secure your website. We’ll also discuss best practices all WordPress users should follow to lock down vulnerabilities and prevent attacks.
About the Plugin
User Profile Builder is a popular WordPress plugin with over 3 million downloads. It allows you to easily build custom user registration forms, user profiles, and customize user roles. However, a serious vulnerability was recently disclosed that impacts versions up to and including 3.10.3.
Details of the Vulnerability
The vulnerability is a cross-site request forgery (CSRF) issue that allows unauthenticated attackers to activate or deactivate any plugin on your site. This is due to missing nonce validation on key plugin functions that handle plugin activation/deactivation. By exploiting this, an attacker could trick you into clicking a link that sends a request to activate or deactivate plugins without your consent.
Risks and Potential Impact
This vulnerability poses serious risks if left unpatched:
- Attackers could activate malicious plugins that compromise your site's security.
- Legitimate security plugins could be deactivated, leaving your site open to other attacks.
- Plugin functionality could be disrupted, breaking key site features.
How to Fix the Vulnerability
The developer has patched this vulnerability in version 3.10.4. To secure your site, you should:
- Update to version 3.10.4 or higher immediately.
- Review activated plugins to check for anything suspicious.
- Consider switching to alternate plugins for added security.
- Enable auto-updates for plugins to stay on top of fixes.
Previous Vulnerabilities
This is far from the first vulnerability found in User Profile Builder. There have been over 18 previous vulnerabilities disclosed since May 2014, underscoring the importance of prompt security updates.
The Importance of Staying Secure
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.