A vulnerability in a popular WordPress user role plugin lets any random person create an admin-level account on targeted websites.
The bug in Profile Builder was given a CVSS score of 10.0 by WordPress security biz Wordfence, though precise details of the bug are not yet available on the usual CVE-tracking websites.
According to Wordfence: "A bug in the form handler made it possible for a malicious user to submit input on form fields that didn't exist in the actual form. Specifically, if the site's administrator didn't add the User Role field to the form, an attacker could still inject a user role value into their form submission."
Profile Builder is a form-building plugin used mainly for blogs and websites with comment sections. Going by the description on the WordPress.org plugin repository, it automates the user registration process and adds a nice-looking frontend menu for users to do things like request password resets and so on.
Wordfence reckoned in a detailed blog post that if, during initial setup of Profile Builder versions up to and including version 3.1.0, a site admin did not set a default user role field for newly registered users, a malicious person could simply submit a new user registration along with their own chosen user role, such as admin.
If no user role was defined by the site admin during initial setup of the plugin, the form field defining the user role was not present for new users registrations – yet the plugin would happily act on a form field if one was received. An unauthenticated attacker could therefore remotely create an admin-level account and cause chaos.
Version 3.1.1 of Profile Builder was released a week ago. Wordpress.org's counter tracks 50,000 installs of the plugin.
Vulnerabilities in WordPress plugins are not uncommon. Just a few weeks ago a similar authentication vuln was plugged in two popular plugins running on around 320,000 WordPress-powered websites. ®