Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerability in Profile Builder plugin 2.4.0 and older

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on July 7, 2016 by Dan Moen   3 Replies

Wordfence Security Researcher Panagiotis Vagenas recently discovered a privilege escalation vulnerability in the Profile Builder WordPress plugin, which has over 40,000 active installs according to wordpress.org. We shared the details of the vulnerability with the author yesterday and added a firewall rule to our Threat Defense Feed. The author released version 2.4.1 today which fixes the vulnerability.

The privilege escalation vulnerability allows an attacker to elevate the privileges of low level WordPress user roles such as Subscriber, to Administrator, giving them full control of the website. This vulnerability only impacts websites that have registration enabled, but given that the plugin functionality is directly related to registration it is likely that the majority of websites with the plugin installed are effected.

CVSS Severity: 8.8 (High)

What to do
Premium Wordfence customers that have the firewall enabled are already protected by the firewall rule we added yesterday morning. Free Wordfence users running the Profile Builder plugin should upgrade to version 2.4.1 immediately, and will receive a rule to protect against this vulnerability on August 5th.

Did you enjoy this post? Share it!

3 Comments on "Vulnerability in Profile Builder plugin 2.4.0 and older"

John Teague July 7, 2016 at 11:54 am

Does this vulnerability extend to their Pro version?

Dan Moen July 7, 2016 at 12:08 pm

Hi John, the Pro version appears to be a separate plugin but I would check with the Cozmoslabs support team just to be safe.

Jakob Boman July 8, 2016 at 10:17 am

Thanks for always informing about security issues. I have just brought your premium service for my most important sites.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates