what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Cozmoslabs Profile Builder 3.6.1 Cross Site Scripting

WordPress Cozmoslabs Profile Builder 3.6.1 Cross Site Scripting
Posted Feb 17, 2022
Authored by Chloe Chamberland | Site wordfence.com

WordPress Cozmoslabs Profile Builder plugin versions 3.6.1 and below suffer from a cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2022-0653
SHA-256 | 227d0cbc687a81308dae38c43331e51ea397ccd24a1a3764724ddc45172f1143

WordPress Cozmoslabs Profile Builder 3.6.1 Cross Site Scripting

Change Mirror Download
On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript. If the attacker is able to trick a site administrator or user into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.


We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5 at the time of this publication.


Description: Reflected Cross-Site Scripting

Affected Plugin: Profile Builder – User Profile & User Registration Forms

Plugin Slug: profile-builder

Plugin Developer: Cozmoslabs

Affected Versions: <= 3.6.1

CVE ID: CVE-2022-0653

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Chloe Chamberland

Fully Patched Version: 3.6.2

Profile Builder – User Profile & User Registration Forms is a plugin designed to add enhanced user profile and registration capabilities to a WordPress site. The vulnerability in the plugin was simple.

The plugin added a file ~/assets/misc/fallback-page.php which was used as a fallback page in the instance that there was no activation page selected for the user activation email functionality. Unfortunately, this file used the user supplied value from the site_url parameter with insufficient sanitization/escaping and validation in an ‘href’ attribute which meant that it was possible for attackers to use the JavaScript pseudo protocol, javascript:, to inject malicious scripts.

Due to the fact that the attacker could also control some of the data on the page via the site_name and message parameter, an attacker could format it to look like it was a 404 page containing a link that the user needs to click in order to return to the site, which helps make it significantly less suspicious than other possible ways the payload could have been presented. If a user clicked the link from "Click here" it would trigger the execution of the JavaScript.

Example of exploit (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWjQgs4rqL9QW6T5ZlL7X8k2pVNrtzX4FFLr1N2v9B135js6pV3Zsc37CgWl-W5DfXFH7C2H_VW2dPx1R7nxln-N5QrQb4Bk2zKM5z2pMl6-hmN77-PypPjB9nW365Szn6mQNZ8W3DH38v7TjdNGW37tY9l8LjYpjW8BC38517VQ6rW5Z2X-T3dHMdwW1SrGbr3RptyxW23FtLg4BTd00W2MM_TQ6z6d9gW9hnmWN7l_JnJW1992NW4Tnyr8W7GK-bg1x0nyPW60vRmd1cH6CQW77rVN06y04LCW6Cnln-7cGrMcW89rHc63rTsxwW6gp15_8JdPF4N53pY6Ppt6GmN1NtRSsJ5-bBVzsg1j7vJdN7W8bdVmT4scnjDN6YJFTs9NtwjW6XhtcF5mX5H0VSkq2b1QHc2YW5Tb0cg2CL7zCMNl9bJ2G01dVtS1cf6hyNjSW6LhBZy83WVWL32W61 )

Cross-Site Scripting vulnerabilities can be exploited to perform several actions like creating new administrative user accounts, injecting theme and plugin files with backdoors, and redirecting visitors to malicious sites, all of which can be used for complete site takeover. This vulnerability requires users to click on a link in order to be successful, and is a reminder for site administrators and users to follow security best practices and avoid clicking on links from untrusted sources.

This vulnerability could also be used to redirect the user to a malicious site by simply injecting any domain in the site_url parameter.

Timeline

January 4, 2022 – Conclusion of the plugin analysis that led to the discovery of a Reflected Cross-Site Scripting Vulnerability in the “Profile Builder – User Profile & User Registration Forms” plugin. We verify that the Wordfence firewall provides sufficient coverage. We initiate contact with the developer.

January 5, 2022 – The developer confirms the inbox for handling the discussion.

January 6, 2022 – We send over the full disclosure details. The developer acknowledges the report and indicates that they will work on a fix.

January 10, 2022 – A fully patched version of the plugin is released as version 3.6.2.

Conclusion

In today’s post, we detailed a flaw in the “Profile Builder – User Profile & User Registration Forms” plugin that made it possible for unauthenticated attackers to inject malicious JavaScript onto a vulnerable site that would execute whenever an unsuspecting user clicked on a link containing the malicious payload. This flaw has been fully patched in version 3.6.2.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.6.5 at the time of this publication.
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close