Earlier today, the Wordfence Threat Intelligence team announced numerous vulnerabilities that were fixed in ProfilePress, a widely used WordPress plugin.
Due to these vulnerabilities, attackers were able to upload arbitrary files to a vulnerable site and get administrative privileges even if registration was disabled.
The ProfilePress membership plugin (formerly known as WP User Avatar) is a powerful plugin that lets you install beautiful user profiles, member directories, and frontend forms for registration, login, and password changes. Additionally, it offers security and access control features. However, A handful of security problems have been introduced as a result of the new features.
This flaw is rated as ‘Critical‘ on Patchstack (Score: 9.8)
The Wordfence team first contacted the plugin’s developer on May 27, 2021. And, On May 30, 2021, a patch was released as version 3.1.4.
Patches have been released for these critical security issues, which means if you are using an outdated version of the plugin (3.1 – 3.1.3), you should update to the latest patched version immediately.
Our Threat Intelligence team just published details about several vulnerabilities patched in ProfilePress, formerly WP User Avatar, used by 400K+ sites. These vulnerabilities were trivial to exploit & could allow attackers to take over vulnerable sites.— Wordfence (@wordfence) June 28, 2021