Recently, security researchers uncovered a critical vulnerability in Convert Plus WordPress Plugin. Read on to know more about this security vulnerability…
Recently, security researchers uncovered a critical vulnerability in Convert Plus WordPress Plugin. This security flaw allowed an unauthenticated attacker to create accounts with administrator privileges.
The critical vulnerability has impacted all versions of the Convert Plus Plugin up to v3.4.2.
Researchers from Defiant uncovered a critical vulnerability in Convert Plus WordPress Plugin that allows an unauthenticated attacker to create accounts with administrator privileges. The vulnerability arises from the lack of filtering issue while processing a new user subscription form supplied by the plugin.
Administrators can define the role they want for the new subscribers in the subscription form. In the form, administrator role is not listed as the plugin keeps it off the list available in the drop-down menu. However, the vulnerable versions of the Convert Plus plugin made available the administrator role in a hidden field called “cp_set_user.” Security experts pointed out that the value for this field could be supplied by the same HTTP request as the rest of the subscription entry, and users can modify it.
“However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user.” reads the analysis by the experts. “Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user,” explains Michael Veenstra, threat analyst at Defiant.
An attacker can take advantage of this by submitting a submission form and modifying the value of the ‘cp_set_user’ to set it to ‘administrator’ without filtering new subscriptions. This way attackers can create a new user with administrator privileges.
“This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.” continues the analysis. “Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address.”
The hack allows to create a new admin account with a randomized password, but it is not a problem because the attacker can use a classic password reset procedure to change the password too.
The developer behind Convert Plus Plugin, BrainstormForce, was notified about the vulnerability on May 24, 2019. The developer immediately responded and released the patch on May 29, 2019. Now the security vulnerability has been fixed in the latest Convert Plus Plugin version 3.4.3.
Due to the severity of the flaw, the developer has pushed an automatic update for the latest version in WordPress backend. Administrators are advised to enable it as soon as possible.