exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Cozmoslabs Profile Builder 3.6.1 Cross Site Scripting

WordPress Cozmoslabs Profile Builder 3.6.1 Cross Site Scripting
Posted Feb 17, 2022
Authored by Chloe Chamberland | Site wordfence.com

WordPress Cozmoslabs Profile Builder plugin versions 3.6.1 and below suffer from a cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2022-0653
SHA-256 | 227d0cbc687a81308dae38c43331e51ea397ccd24a1a3764724ddc45172f1143

WordPress Cozmoslabs Profile Builder 3.6.1 Cross Site Scripting

Change Mirror Download
On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. This vulnerability makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript. If the attacker is able to trick a site administrator or user into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.


We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Profile Builder – User Profile & User Registration Forms”, which is version 3.6.5 at the time of this publication.


Description: Reflected Cross-Site Scripting

Affected Plugin: Profile Builder – User Profile & User Registration Forms

Plugin Slug: profile-builder

Plugin Developer: Cozmoslabs

Affected Versions: <= 3.6.1

CVE ID: CVE-2022-0653

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Chloe Chamberland

Fully Patched Version: 3.6.2

Profile Builder – User Profile & User Registration Forms is a plugin designed to add enhanced user profile and registration capabilities to a WordPress site. The vulnerability in the plugin was simple.

The plugin added a file ~/assets/misc/fallback-page.php which was used as a fallback page in the instance that there was no activation page selected for the user activation email functionality. Unfortunately, this file used the user supplied value from the site_url parameter with insufficient sanitization/escaping and validation in an ‘href’ attribute which meant that it was possible for attackers to use the JavaScript pseudo protocol, javascript:, to inject malicious scripts.

Due to the fact that the attacker could also control some of the data on the page via the site_name and message parameter, an attacker could format it to look like it was a 404 page containing a link that the user needs to click in order to return to the site, which helps make it significantly less suspicious than other possible ways the payload could have been presented. If a user clicked the link from "Click here" it would trigger the execution of the JavaScript.

Example of exploit (https://email.wordfence.com/e3t/Btc/GC+113/cwG7R04/VWjQgs4rqL9QW6T5ZlL7X8k2pVNrtzX4FFLr1N2v9B135js6pV3Zsc37CgWl-W5DfXFH7C2H_VW2dPx1R7nxln-N5QrQb4Bk2zKM5z2pMl6-hmN77-PypPjB9nW365Szn6mQNZ8W3DH38v7TjdNGW37tY9l8LjYpjW8BC38517VQ6rW5Z2X-T3dHMdwW1SrGbr3RptyxW23FtLg4BTd00W2MM_TQ6z6d9gW9hnmWN7l_JnJW1992NW4Tnyr8W7GK-bg1x0nyPW60vRmd1cH6CQW77rVN06y04LCW6Cnln-7cGrMcW89rHc63rTsxwW6gp15_8JdPF4N53pY6Ppt6GmN1NtRSsJ5-bBVzsg1j7vJdN7W8bdVmT4scnjDN6YJFTs9NtwjW6XhtcF5mX5H0VSkq2b1QHc2YW5Tb0cg2CL7zCMNl9bJ2G01dVtS1cf6hyNjSW6LhBZy83WVWL32W61 )

Cross-Site Scripting vulnerabilities can be exploited to perform several actions like creating new administrative user accounts, injecting theme and plugin files with backdoors, and redirecting visitors to malicious sites, all of which can be used for complete site takeover. This vulnerability requires users to click on a link in order to be successful, and is a reminder for site administrators and users to follow security best practices and avoid clicking on links from untrusted sources.

This vulnerability could also be used to redirect the user to a malicious site by simply injecting any domain in the site_url parameter.

Timeline

January 4, 2022 – Conclusion of the plugin analysis that led to the discovery of a Reflected Cross-Site Scripting Vulnerability in the “Profile Builder – User Profile & User Registration Forms” plugin. We verify that the Wordfence firewall provides sufficient coverage. We initiate contact with the developer.

January 5, 2022 – The developer confirms the inbox for handling the discussion.

January 6, 2022 – We send over the full disclosure details. The developer acknowledges the report and indicates that they will work on a fix.

January 10, 2022 – A fully patched version of the plugin is released as version 3.6.2.

Conclusion

In today’s post, we detailed a flaw in the “Profile Builder – User Profile & User Registration Forms” plugin that made it possible for unauthenticated attackers to inject malicious JavaScript onto a vulnerable site that would execute whenever an unsuspecting user clicked on a link containing the malicious payload. This flaw has been fully patched in version 3.6.2.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.6.5 at the time of this publication.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close