Critical vulnerability in Convert Plus WordPress Plugin lets attacker create admin accounts

• The critical vulnerability has impacted all versions of the Convert Plus Plugin up to v3.4.2.
• The vulnerability has been fixed in the latest Convert Plus Plugin version 3.4.3.

What is the issue?

Researchers from Defiant uncovered a critical vulnerability in Convert Plus WordPress Plugin that allows an unauthenticated attacker to create accounts with administrator privileges.

More details on the vulnerability

The vulnerability arises from the lack of filtering issue while processing a new user subscription form supplied by the plugin.

Administrators can define the role they want for the new subscribers in the subscription form. In the form, administrator role is not listed as the plugin keeps it off the list available in the drop-down menu.

However, the vulnerable versions of the Convert Plus plugin made available the administrator role in a hidden field called "cp_set_user."

“Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user,” Defiant researchers described.

An attacker can take advantage of this by submitting a submission form and modifying the value of the ‘cp_set_user’ to set it to ‘administrator’ without filtering new subscriptions. This way attackers can create a new user with administrator privileges.

What is the impact?

The vulnerability has impacted all versions of the Convert Plus Plugin up to v3.4.2.

The developer behind Convert Plus Plugin, BrainstormForce, was notified about the vulnerability on May 24, 2019. The developer immediately responded and released the patch on May 29, 2019.

The vulnerability has been fixed in Convert Plus Plugin version 3.4.3. Due to the severity of the flaw, the developer has pushed an automatic update for the latest version in WordPress backend. Administrators are advised to enable it as soon as possible.