Extra User Details [Privilege Escalation]

Description

Extra User Details plugin for WordPress suffers from a Privilege Escalation vulnerability.

The plugin hooks the eud_update_ExtraFields function to profile_update WordPress action. This function doesn’t properly check user capabilities and updates all meta information passed to post data. The only condition is that the post variable name has the eud prefix which is striped before updating the values in DB.

An attacker can exploit this misbehavior to update the {prefix}_capabilities meta information to gain administrative privileges.

PoC

In the following PoC we assume that the database has the wp prefix, a very common scenario as this is the default WordPress value

Solution

Upgrade to v0.4.2.1