A serious security vulnerability has threatened the integrity of the Convert Plus WordPress plugin. The flaw in the plugin could allow a potential attacker to create admin accounts. Convert Plus is an inclusive WordPress pop-up plugin that facilitates better conversion and lead generation from the website.
Convert Plus WordPress Plugin Flaw
Researchers from Wordfence discovered a critical security flaw affecting the Convert Plus WordPress plugin. Upon exploit by a potential attacker, the flaw could allow creating unauthorized admin accounts.
Describing the flaw in their report, Wordfence stated,
This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts.
In an ideal situation, the Convert Plus plugin allows WordPress admins to define any user roles for the new subscriber email addresses except the Administrator role, which it removes from the available roles during the process.
However, in case of vulnerable versions, the flaw existed in fetching the roles from the database. As elaborated by the researchers,
Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user. Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user. This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.
Thus, allowing the new user subscribing on the website to set admin role by modifying the value of cp_set_user to “administrator”.
The researchers have demonstrated the exploit in the following video.
Developers Patched The Vulnerability
The researchers spotted the vulnerability on May 24, 2019. They noticed that the flaw affected all Convert Plus plugin versions up to 3.4.2, about which they notified the developers. Appreciably, convert Plus team responded quickly to the report. They patched the vulnerability with the release of Convert Plus plugin version 3.4.3. The developers also stated they appreciated the researchers highlighting the flaw.
To stay protected from any security incident, the users of Convert Plus must ensure updating their systems to the latest release.
Take your time to comment on this article.