Profile Builder - front-end user registration, login and edit profile [Privilege Escalation]

Description

This was first reported by itsabhineet in WordPress support forums. This guy didn’t really realized that he was posting a security issue. The topic was deleted by WordPress team.

Plugin Profile Builder registers shortcode wppb-register that allows users to create a page with a registration form. This shortcode has the option role which obviously sets the newly registered user role to the value provided.

The problem arises when a user that can create a post type that can contain shortcodes, creates a post containing this shortcode with the role attribute set to administrator.

PoC

  1. Create a post with a user that can create posts (contributor, author etc).
  2. Add the shortcode [wppb-register role="administrator"]
  3. Logout and register a new user

The new user will be created as an administrator

Solution

Upgrade to v2.3.6


GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX