WordPress Profile Builder plugin vertical privilege escalation

Secunia Advisory SA 49201


Profile builder implemented its own password recovery system on top of the existing wordpress system in /front-end/wppb.recover.password.php. It does so by taking a request with a password reset key which is generated using a statically salted md5 hash of the user name, userID and two static strings, both computed when the password reset mail is send and then calculated again when the user accesses the link provided in the password reset mail.

As you can see, we fetch the userID associated with the provided user name, and then proceed to recalculate the hash and compare that against the key provided. If those match, you can now change the password.

Because this value is not at all random, it allows us to calculate this value for any user granted that we know the user name and user id(Which could easily be guessed for most sites by iterating through even a small sequenstial list of numbers), and subsequently change their password even if they did not request it, causing a vertical privilege escalation vulnerability.

Proof of concept code

Leave a Reply