WordPress administrators, be aware! Several security flaws in the ProfilePress WordPress plugin have been uncovered, which might allow for entire site takeovers! Patches are now available; if your site is affected, make sure you update to the most recent plugin version.
Multiple Vulnerabilities
Multiple vulnerabilities in the ProfilePress WordPress plugin have been found. In a recent blog post, researchers from the Wordfence team discovered vulnerabilities in the ProfilePress WordPress plugin.
They uncovered many critical security flaws in this plugin which was formerly known as WP User Avatar. The plugin has over 400,000 active installations, which implies the flaws might have put thousands of websites at risk.
The researchers discovered four separate vulnerabilities, each with a critical severity ratings of 9.8 on the CVSS score. Unauthenticated privilege escalation (CVE-2021-34621), authenticated privilege escalation (CVE-2021-34622), arbitrary file upload in the image uploader component (CVE-2021-34623), and arbitrary file upload in the file uploader component (CVE-2021-34624) are among the vulnerabilities.
An attacker might use these flaws to upload arbitrary files to target sites, obtain admin access, and take complete control of the site. These exploits would even work if the site didn’t require authentication and didn’t allow users to register.
Deployment of Patches
Wordfence discovered that The plugin versions 3.0 – 3.1.3 were discovered to be vulnerable to the exploits.
The researchers contacted the developers to report the flaws after they were discovered. As a result, as evidenced by the changelog, the developers patched all of the vulnerabilities with the release of plugin version 3.1.4.
Nonetheless, after this release, the developers have issued more fixes in subsequent versions. As a result, the ProfilePRess plugin version 3.1.8 is the most recent.
Hence, all WordPress administrators who use this plugin on their sites should upgrade as soon as possible. This is particularly significant given the widespread use of vulnerable WordPress plugins to attack various websites. The essential method for fending off the majority of cyber threats against websites is to keep all plugins up to date.