A Privilege Escalation vulnerability has been identified in the WordPress ProfilePress Plugin. This vulnerability could allow a malicious actor with low privileges to escalate their privileges to something higher, such as administrator privileges. This could then allow them to take full control of the website.

This vulnerability was discovered and responsibly reported by Revan Arifio.

The vulnerability is a Privilege Escalation vulnerability that occurs in the profilepress-admin.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to gain elevated privileges.

Severity:

The vulnerability has a CVSS 3.1 score of 8.6, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.

Affected Versions:

To mitigate this critical security risk, Users of the ProfilePress Plugin strongly recommend updating ProfilePress Plugin to the latest available version, specifically version 4.13.2 or higher.

Impact:

An attacker who successfully exploits this vulnerability could:

  • Gain administrator privileges on the website.
  • Install malicious plugins or themes.
  • Delete or modify files.
  • Inject malicious code into the website.
  • Take any other action that an administrator could do.

Recommendation:

Users of the ProfilePress Plugin are strongly advised to update to the latest available version (at least 4.13.2). This vulnerability has been fixed in version 4.13.2.