On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript. If the attacker is able to trick a site administrator or user into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.
We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022.
We strongly recommend ensuring that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5 at the time of this publication.
Description: Reflected Cross-Site Scripting
Affected Plugin: Profile Builder – User Profile & User Registration Forms
Plugin Slug: profile-builder
Plugin Developer: Cozmoslabs
Affected Versions: <= 3.6.1
CVE ID: CVE-2022-0653
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.6.2
Profile Builder – User Profile & User Registration Forms is a plugin designed to add enhanced user profile and registration capabilities to a WordPress site. The vulnerability in the plugin was simple.
The plugin added a file ~/assets/misc/fallback-page.php which was used as a fallback page in the instance that there was no activation page selected for the user activation email functionality. Unfortunately, this file used the user supplied value from the site_url parameter with insufficient sanitization/escaping and validation in an ‘href’ attribute which meant that it was possible for attackers to use the JavaScript pseudo protocol, javascript:, to inject malicious scripts.
Due to the fact that the attacker could also control some of the data on the page via the site_name and message parameter, an attacker could format it to look like it was a 404 page containing a link that the user needs to click in order to return to the site, which helps make it significantly less suspicious than other possible ways the payload could have been presented. If a user clicked the link from "Click here" it would trigger the execution of the JavaScript.
Example of exploit (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWjQgs4rqL9QW6T5ZlL7X8k2pVNrtzX4FFLr1N2v9B135js6pV3Zsc37CgWl-W5DfXFH7C2H_VW2dPx1R7nxln-N5QrQb4Bk2zKM5z2pMl6-hmN77-PypPjB9nW365Szn6mQNZ8W3DH38v7TjdNGW37tY9l8LjYpjW8BC38517VQ6rW5Z2X-T3dHMdwW1SrGbr3RptyxW23FtLg4BTd00W2MM_TQ6z6d9gW9hnmWN7l_JnJW1992NW4Tnyr8W7GK-bg1x0nyPW60vRmd1cH6CQW77rVN06y04LCW6Cnln-7cGrMcW89rHc63rTsxwW6gp15_8JdPF4N53pY6Ppt6GmN1NtRSsJ5-bBVzsg1j7vJdN7W8bdVmT4scnjDN6YJFTs9NtwjW6XhtcF5mX5H0VSkq2b1QHc2YW5Tb0cg2CL7zCMNl9bJ2G01dVtS1cf6hyNjSW6LhBZy83WVWL32W61 )
Cross-Site Scripting vulnerabilities can be exploited to perform several actions like creating new administrative user accounts, injecting theme and plugin files with backdoors, and redirecting visitors to malicious sites, all of which can be used for complete site takeover. This vulnerability requires users to click on a link in order to be successful, and is a reminder for site administrators and users to follow security best practices and avoid clicking on links from untrusted sources.
This vulnerability could also be used to redirect the user to a malicious site by simply injecting any domain in the site_url parameter.
Timeline
January 4, 2022 – Conclusion of the plugin analysis that led to the discovery of a Reflected Cross-Site Scripting Vulnerability in the “Profile Builder – User Profile & User Registration Forms” plugin. We verify that the Wordfence firewall provides sufficient coverage. We initiate contact with the developer.
January 5, 2022 – The developer confirms the inbox for handling the discussion.
January 6, 2022 – We send over the full disclosure details. The developer acknowledges the report and indicates that they will work on a fix.
January 10, 2022 – A fully patched version of the plugin is released as version 3.6.2.
Conclusion
In today’s post, we detailed a flaw in the “Profile Builder – User Profile & User Registration Forms” plugin that made it possible for unauthenticated attackers to inject malicious JavaScript onto a vulnerable site that would execute whenever an unsuspecting user clicked on a link containing the malicious payload. This flaw has been fully patched in version 3.6.2.
We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.6.5 at the time of this publication.