Convert Plus which is a commercial plugin for WordPress websites has a critical vulnerability that lets unauthenticated attacker to create accounts with administrator privileges. The flaw is due to the lack of filtering when processing a new user subscription via a form supplied by the plugin.
Convert Plus which was earlier Convert Plug is estimated to have 100,000 active installations and was created to make websites more engaging and for calling visitors to action. The intended effect is to increase the user base and sales conversions which is achieved through various call-to-action elements on the page.
In order to handle new subscribers, administrators can set up a form and define various roles for the new users. An administrator account is not on the list available in a drop-down menu because the plugin keeps it off.
Researchers at Defiant found that vulnerable versions of the Convert Plus plugin had the administrator role available in a hidden field called “cp_set_user.”
As this value is supplied by the same HTTP request like the rest of the subscription entry, it is possible for a user to modify it.
It is possible for an attacker to submit a submission form and modify the value of the “cp_set_user” and set it to “administrator” thus creating a new user with top privileges on the website.
A random password is associated with the new account, but the attacker can request a password reset to learn the login code.
This issue affects all versions of the plugin up to 3.4.2. All the administrators are advised to update the software to version 3.4.3 due to the severity of the flaw.
The developer behind Convert Plus, BrainstormForce was informed regarding the vulnerability on May 24 when Defiant discovered it.
A patch was made available four days later and the developer published a changelog informing users of the security issue, mentioning that immediate action is required.
As installing security patches may create problems, BrainstormForce pushed an automatic update for the latest Convert Plus version, which is available in WordPress backend. All users are highly recommended to enable it at the earliest.