Plattform
wordpress
Komponente
profilepress
Behoben in
3.0.1
CVE-2021-34622 represents a critical privilege escalation vulnerability discovered in the ProfilePress WordPress plugin. This flaw allows unauthorized users to elevate their privileges to administrator, granting them complete control over the affected WordPress site. The vulnerability impacts versions 3.0.0 through 3.1.3, and a patch is available from the vendor.
The impact of CVE-2021-34622 is severe. A successful exploit allows an attacker to gain administrator-level access to the WordPress site without authentication. This grants them the ability to modify any content, install malicious plugins or themes, steal sensitive data (user credentials, financial information, etc.), and potentially deface the website. The blast radius extends to all data and functionality accessible by an administrator, making it a high-priority risk. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper access controls are exploited to gain elevated permissions.
CVE-2021-34622 was publicly disclosed on July 7, 2021. Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and ease of exploitation. The vulnerability is not currently listed on the CISA KEV catalog, but its critical CVSS score warrants close monitoring. Active exploitation campaigns are possible, particularly targeting sites running vulnerable versions of ProfilePress.
WordPress sites utilizing the ProfilePress plugin, particularly those running versions 3.0.0 through 3.1.3, are at significant risk. Shared hosting environments where multiple websites share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with weak password policies or those that haven't implemented proper user access controls are also at increased risk.
• wordpress / composer / npm:
grep -r 'EditUserProfile.php' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=inactive | grep ProfilePress• wordpress / composer / npm:
wp plugin update ProfilePress --all• generic web:
curl -I https://your-wordpress-site.com/wp-admin/profile.php | grep -i 'server' # Check for unusual server headers after profile editsdisclosure
Exploit-Status
EPSS
64.97% (98% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-34622 is to immediately upgrade ProfilePress to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user profile editing capabilities. Implement strict access controls and regularly review user roles and permissions. Monitor WordPress logs for suspicious activity related to user profile modifications. While a WAF cannot directly prevent this vulnerability, it can help detect and block malicious requests attempting to exploit it. There are no specific Sigma or YARA rules available at this time.
Aktualisieren Sie das ProfilePress Plugin auf die neueste verfügbare Version. Die Schwachstelle ermöglicht es nicht autorisierten Benutzern, ihre Berechtigungen auf Administrator zu erhöhen, daher ist es entscheidend, das Update so bald wie möglich anzuwenden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-34622 is a critical vulnerability in the ProfilePress WordPress plugin allowing users to escalate privileges to administrator level, potentially gaining full site control. It affects versions 3.0.0–3.1.3.
If you are using ProfilePress versions 3.0.0 through 3.1.3 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
The recommended fix is to immediately upgrade ProfilePress to the latest available version. If upgrading is not possible, consider temporary restrictions on user profile editing.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a likely target. Monitor your site closely.
Refer to the ProfilePress website and WordPress plugin repository for the latest information and security advisories related to CVE-2021-34622.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.