User Profile Builder WordPress Plugin Password Reset Vulnerability

A vulnerability exists in the User Profile Builder WordPress plugin in versions prior to 3.15.2, where the password reset process is inadequate. This flaw allows unauthenticated users to reset the passwords of any users, including administrators, by knowing their usernames. Exploiting this vulnerability could lead to unauthorized access to user accounts.

Impact

Successful exploitation allows unauthorized users to gain access to accounts of users whose passwords have been reset, including those of administrators.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress login page with the action 'lostpassword'. Include the target username and a malicious password key. After the first request is processed, a second request can be sent to the password reset link, which includes the malicious key and username. Finally, send a POST request to the password reset endpoint with the new password, using the same key to complete the process.

Remediation

Users are advised to update the User Profile Builder WordPress plugin to version 3.15.2 or later.