Description: User Registration <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Upload Affected Plugin: User Registration – Custom Registration Form, Login Form And User Profile For WordPress Plugin Slug: user-registration Affected Versions: <= 3.0.2 CVE ID: CVE-2023-3342 CVSS Score: 9.9 (Critical) CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Researcher/s: Lana Codes Fully Patched Version: 3.0.2.1 The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the ‘ur_upload_profile_pic’ function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site’s server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1. Technical Analysis The User Registration plugin provides a versatile drag and drop registration form builder, with custom fields and unlimited customization options. It also provides a login form. After logging in, it provides users with a profile that allows various types of customization, including uploading a profile picture. Examining the code reveals that the plugin uses two separate functions to set the profile picture. The first AJAX function uploads the profile picture to a temp folder, and the second request moves the file and sets the profile picture to the user. The profile_pic_upload() function uses a generic image upload solution, which checks the file extension and then uploads the image to the temp folder. The interesting part is that the data from the uploaded file is encrypted within the AJAX response: [VIEW THIS CODE SNIPPET ON THE BLOG] JSON response after the file upload in the profile_pic_upload() function The encrypted upload_files data in the response is something like this: upload_files-response Encryption is used due to the way the plugin handles uploads because the encrypted data is decrypted and used to determine the filename and filepath where the file is saved for the user. However, for data to be encrypted and decrypted, an encryption key is required. As a general rule, encryption keys should be confidential and unique to each website. [VIEW THIS CODE SNIPPET ON THE BLOG] We unfortunately found that the encryption key is hardcoded in vulnerable versions of the plugin in the crypt_the_string() function, which means that threat actors also had access to the key which was not unique per WordPress installation. This makes it possible for attackers to craft an uploaded files data array payload that can be used to modify the filename, path, and extension when saving the profile picture. The plugin calls the function ur_upload_profile_pic() when saving the profile, which contains the following code: [VIEW THIS CODE SNIPPET ON THE BLOG] Rename and move the file in ur_upload_profile_pic() function The function decrypts the encrypted file data, which is specified in the save request. Based on this data, the file in the temp folder is moved and renamed using the rename() php function. Unfortunately, however, there is no file type check before it, which means that the image file can be renamed to a file with any type of extension, such as .php, .phtml, .html, and more. Exploit Possibilities Exploiting the vulnerability requires multiple complex steps, as two separate functions and requests must be used to upload and move the file: - Register a user - Log in as the user (since it is only possible to upload a profile picture for the user) - Upload the malicious exploit.png image file - Retrieve the encrypted file data from the response - Decrypt the file data - Modify the file extension to php in the file name - Encrypt the file data - Save the profile with the encrypted and modified file data Since it is only possible to upload an image file during the upload process, because its extension is checked, the initial step involves uploading a file named, for example, exploit.png as a profile picture with the following request: user_registration_profile_pic_upload-http-request In this scenario, the attacker uploads an exploit.png file, which is actually a PHP script, but with a .png extension: [VIEW THIS CODE SNIPPET ON THE BLOG] The response will be a json payload containing the encrypted result returned from the profile_pic_upload() function. The ‘upload_files’ parameter needs to be decrypted using the hardcoded key, which will return a serialized array, similar to this: upload_files-array The attacker would then change the file name from exploit.png to exploit.php and re-encrypt the array. The newly encrypted result can then be used when saving the profile in the next request: save_profile_details-http-request The exploit renames the image file to php and moves it to the profile pictures folder. The complete exploit process looks like this: user-registration-howto-wordfence Wordfence Firewall The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability. user-registration-howto-wordfence-firewall Disclosure Timeline June 19, 2023 – Discovery of the Arbitrary File Upload vulnerability in User Registration. June 19, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion. June 19, 2023 – The vendor confirms the inbox for handling the discussion. June 19, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. June 20, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. June 29, 2023 – A partial patch is released in version 3.0.2. July 4, 2023 – A fully patched version of the plugin, 3.0.2.1, is released. July 20, 2023 – Wordfence Free users receive the same protection. Conclusion In this blog post, we detailed an Arbitrary File Upload vulnerability within the User Registration plugin affecting versions 3.0.2 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 3.0.2.1 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of User Registration. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 20, 2023. Sites still using the free version of Wordfence will receive the same protection on July 20, 2023. If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk. For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.