Hundreds, if not thousands of WordPress plugins are conceived with the idea of making site building and maintenance easier for site owners. They add features not available in WordPress Core that would otherwise require site owners to write their own code to extend functionality. However, these well-intentioned plugins may sometimes contain seemingly innocuous bugs that can lead to catastrophic consequences.
On Tuesday, February 7th, 2023, prominent WordPress vulnerability researcher István Márton, also known as Lana Codes, reached out to the Wordfence Threat Intelligence team to responsibly disclose an information disclosure vulnerability in Cozmolabs Profile Builder, a WordPress plugin designed to enhance the user profile and registration experience with a reported 60,000+ active installations. If exploited, this vulnerability allows threat actors to gain elevated privileges by taking over arbitrary accounts.
Wordfence researchers quickly assessed the vulnerability and deployed a firewall rule to protect customers from exploitation. Premium WordFence customers received that protection on February 13, 2023 as well as an additional firewall rule for extended protection on February 14, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later on March 14 and March 15, 2023, respectively.
In coordination with Márton, Cozmolabs quickly released a fix in Profile Builder version 3.9.1 on February 13, 2023, only 6 days after the vulnerability’s discovery.