Platform
wordpress
Component
profilepress
Fixed in
3.0.1
CVE-2021-34622 represents a critical privilege escalation vulnerability discovered in the ProfilePress WordPress plugin. This flaw allows unauthorized users to elevate their privileges to administrator, granting them complete control over the affected WordPress site. The vulnerability impacts versions 3.0.0 through 3.1.3, and a patch is available from the vendor.
The impact of CVE-2021-34622 is severe. Successful exploitation allows an attacker to gain administrator-level access to the WordPress site without authentication. This grants them the ability to modify any content, install malicious plugins or themes, steal sensitive data (user credentials, financial information, customer data), and potentially deface the website. The attacker could also use the compromised site as a launchpad for further attacks against other systems on the network, expanding the blast radius significantly. This vulnerability shares similarities with other WordPress privilege escalation flaws where user profile manipulation is exploited to gain unauthorized access.
CVE-2021-34622 was publicly disclosed on July 7, 2021. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the risk of widespread exploitation.
Exploit Status
EPSS
64.97% (98% percentile)
CVSS Vector
The primary mitigation for CVE-2021-34622 is to immediately upgrade ProfilePress to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user profile editing capabilities. Implement a Web Application Firewall (WAF) rule to block suspicious requests targeting the /wp-admin/profile.php endpoint with unusual parameters. Monitor WordPress logs for any unauthorized profile modification attempts. Specifically, look for unusual user agent strings or IP addresses accessing profile editing functions. After upgrading, verify the fix by attempting to create a new user account and confirming that it does not automatically gain administrator privileges.
Update the ProfilePress plugin to the latest available version. The vulnerability allows unauthorized users to escalate their privileges to administrator, so applying the update as soon as possible is crucial.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-34622 is a critical vulnerability in the ProfilePress WordPress plugin allowing users to escalate privileges to administrator level, potentially gaining full site control. It affects versions 3.0.0–3.1.3.
If you are using ProfilePress versions 3.0.0 through 3.1.3 on your WordPress site, you are potentially affected by this vulnerability. Check your plugin version immediately.
The recommended fix is to immediately upgrade ProfilePress to the latest available version. If upgrading is not possible, consider temporary restrictions on user profile editing.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a likely target. Monitor your site closely.
Refer to the ProfilePress website and WordPress plugin repository for the latest information and security advisories related to CVE-2021-34622.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.