February 13

Critical Vulnerability In User profile Builder Plugin Allowed Web site Takeover

WordPress Vulnerabilities


This post was originally published on this site

Description: Unauthenticated Administrator Sign up
Affected Plugin: User profile Builder (Free, Professional, and Hobbyist versions impacted)
Affected Variations: <= 3.1.0
CVSS Score:
10.0 (Critical)
CVSS Vector:
Patched Version: 3.1.1

Earlier this week, a crucial vulnerability was patched in the Profile Builder plugin for WordPress. This vulnerability impacted the free version on the WordPress.org repository, and also the commercial Professional and Hobbyist variants. Based on the WordPress repository a lot more than 50,000 websites are running the totally free version of User profile Builder, and our estimates recommend there are approximately 15,000 installations of the Professional and Hobbyist variations, for around total of 65,000 affected sites.

Profile Builder versions up to 3.1.0 are influenced by this vulnerability. It is very important that any site owning a vulnerable edition of the plugin end up being updated to edition 3.1.1 immediately in order to avoid web site compromise. We’ve deployed a firewall principle to avoid exploitation on websites running Wordfence Premium. Websites using the free edition of Wordfence will have the rule after four weeks.

In this write-up we’ll have a look at the vulnerability and discuss its influence. We’ll furthermore detail some methods a site owner may take to mitigate the problem when an immediate upgrade isn’t feasible.

Vulnerability Summary

User profile Builder is really a plugin made to create customized forms that allow customers to join up, edit their profiles, and much more. It also includes a custom user part editor, enabling admins to assign custom made sets of privileges with their site’s customers.

To implement these custom consumer roles within the registration procedure, the plugin features form handlers to assign a selected function to a fresh user. This user part field isn’t existing by default, but could be added by an administrator to supply a summary of approved roles within a drop-down menus.

A good example of a Profile Builder registration form with a User Role dropdown field.

An exemplory case of a Profile Builder sign up form with a Consumer Role dropdown industry.

Unfortunately, the bug in the proper execution handler made it easy for a malicious consumer to submit input upon form areas that didn’t exist within the actual form. Particularly, if the web site’s administrator didn’t add an individual Role industry to the proper execution, an attacker could nevertheless inject a user function value to their form submission.

When an administrator provides an individual Role selector to an application, they have to decide on a list of approved functions for new customers. If this checklist is established, only approved functions will undoubtedly be accepted by the proper execution handler. However, once the User Role industry isn’t existing and an attacker submits a consumer part anyway, there is absolutely no list of approved functions and any insight is accepted.

These 2 issues combine to permit unauthenticated attackers to join up Administrator accounts upon vulnerable WordPress sites. With Administrator privileges, an attacker provides effectively bought out the site and will deploy malware along with other backdoors freely.

These problems have been patched by Profile Builder version 3.1.1.

Patch Details

As we mentioned in the overview above, the impact of the vulnerability is due to the conversation of two smaller bugs.

For the initial bug, the User profile Builder plugin’s type handler would process insight on the plugin’s achievable form fields, whether or not that field was within the proper execution. To patch this bug, the programmers created the validation functionality wppb_field_exists_in_form(). This validation is currently found in the handler perform of every possible form field, avoiding the injection of unintended ideals.

 * Function that checks in case a field kind exists in an application
 * @return bool
function wppb_industry_exists_in_form( $industry_type, $form_args )
    if( !empty( $form_args ) && !empty( $form_args['form_fields'] ) )
        foreach( $form_args['type_fields'] as $field )
            if( $field['field'] === $industry_type )
                return true;

    return false;

Patching this bug effectively stops exploitation of the next one, however the developers wisely set it as well. Along with confirming the custom_field_user_function field exists on the proper execution, the industry handler now explicitly denies tries to generate Administrator users.

/* handle industry save */
function wppb_userdata_include_user_part( $userdata, $global_request, $type_args )

    if( wppb_industry_exists_in_type( 'Select (User Role)', $type_args ) ) 

        $roles_editor_active = false;
        $wppb_generalSettings = get_choice('wppb_general_settings', 'not really_found');
        if ($wppb_generalSettings != 'not really_found') 
            if (!empty($wppb_generalSettings['rolesEditor']) && ($wppb_generalSettings['rolesEditor'] == 'yes')) 
                $roles_editor_active = true;

        if (isset($global_demand['custom_field_user_role'])) 
            if ($roles_editor_energetic && will be_array($global_request['custom_field_user_role'])) 
                $user_functions = array_map('trim', $worldwide_request['custom_field_user_role']);
                $user_functions = array_map('sanitize_textual content_field', $user_roles);

                //don't allow administrator worth. it will never be right here but in the event create a hard check
                if (($key = array_lookup("administrator", $user_roles)) !== fake) 

                $userdata['role'] = $user_functions;
                $role = sanitize_textual content_field(trim($global_request['custom_field_user_role']));
                if( $function !== 'administrator' ) //don't allow administrator value. it should in no way be here but simply in situation make a hard check
                    $userdata['role'] = $role;

    return $userdata;

As you can view in the if() statement online 181, an individual role assignment code won’t run if wppb_field_exists_in_form() returns False. In addition, checks on outlines 197 and 204 will avoid assignment if the designed role is administrator.

Assessing Impact

Considering all the factors of the vulnerability, we’ve calculated its CVSS severity rating as 10.0 (Critical). View the CVSS calculation here.

This score was identified in line with the following metrics:

  • Assault Vector: Network
    • The vulnerability could be exploited via HTTP(S) usage of an affected site.
  • Strike Complexity: Low
    • Simply no excessive effort is necessary by an attacker, simply the discovery of the vulnerable form.
  • Privileges Required: None
    • The vulnerability is exploited in an individual registration process, no prior authentication is essential.
  • User Conversation: None
    • No conversation by the web site’s administrator must exploit a vulnerable type.
  • Scope: Changed
    • The vulnerability exists in a plugin included into a WordPress application, but successful exploitation allows access far beyond the affected plugin itself.
  • Confidentiality: High
  • Integrity: High
  • Availability: High
    • All three CIA impact ratings are Saturated in cases in which a full web site takeover can be done. An attacker with Administrator privileges can disrupt web site behavior, harvest information, and inject malicious articles at will.

Short-Expression Mitigation

We strongly suggest updating User profile Builder to version 3.1.1 as quickly as possible to avoid a crucial security occasion on your own site. However, we recognize that some users could be restricted by revise workflows and other plans that can decelerate an effective response.

In the event your site is utilizing a vulnerable edition of User profile Builder and may’t be updated instantly, it’s probable to mitigate the severe nature of the vulnerability by modifying your current Profile Builder form areas. Since an attacker can only just create an Administrator accounts if an individual Role industry doesn’t exist within the form, you can include this industry and properly restrict it to one or even more authorized roles.

A screenshot of Profile Builder's interface, showing the creation of a Select (User Role) field.

A screenshot of User profile Builder’s user interface, showing the development of a Select (Consumer Role) field.

To include this field, gain access to the “Form Areas” page from User profile Builder’s sidebar menus. Near the top of this site, a dropdown will request you to choose an option. Pick the “Select (Consumer Role)” choice under Advanced. Complete the proper execution that appears giving the industry a name and explanation, then choose the role or functions that new users ought to be allowed to entry. For most websites, selecting Subscriber and absolutely nothing else will undoubtedly be sufficient.

To reiterate, it’s nevertheless of critical significance that affected users up-date their plugins as fast as possible even though a mitigation such as this is available. This will only become relied on as a short-term measure to avoid exploitation and soon you can patch your website.


  • February 10, 2020 – User profile Builder edition 3.1.1 is released. “Security upgrade” described in changelog. WPVulnDB entry developed by the vulnerability’s discoverer.
  • February 12, 2020 – We deployed a firewall guideline to safeguard Wordfence Premium customers from the vulnerability.
  • February 24, 2020 – Proof-of-idea (PoC) to be launched, based on the WPVulnDB entry.
  • March 13, 2020 – Firewall principle to end up being deployed to websites running the free edition of Wordfence.


Profile Builder versions up to 3.1.0 were suffering from a critical vulnerability that could allow hackers to dominate a site utilizing the plugin. All variants of the plugin, including Totally free, Pro, and Hobbyist, included the bugs in charge of this matter. These bugs had been patched in edition 3.1.1 of most variants, released on February 10th.

Wordfence Premium users already are protected by way of a new firewall guideline, and sites still utilizing the free edition of Wordfence may receive this principle on March 13th. Despite having a firewall rule set up, we still strongly suggest performing security improvements to completely mitigate the risk to your internet site.

At this period, we have seen simply no indication of malicious action wanting to exploit this vulnerability. We shall continue steadily to monitor for brand new exploitation campaigns that could emerge over period, and can report our findings because they come. If you were to think your site might have been compromised because of this vulnerability or any, don’t hesitate to attain out there to our Site Cleaning team.

In accordance to the vulnerability’s access within WPVulnDB, the discovering researcher intends release a a detailed proof-of-idea (PoC) on February 24th. While a negative actor could create an strike script by examining the adjustments manufactured in the patched edition with little trouble, the public discharge of a PoC frequently results in broad exploitation by hackers. It really is critically important that affected customers update to version 3.1.1 as quickly as possible. To help spread knowing of these concerns, please contemplate sharing this record with other people of the WordPress neighborhood.


The post Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!