whoami7 - Manager
:
/
home
/
analuakl
/
somethingsmushy.com
/
wp-content
/
plugins
/
wp-registration
/
Upload File:
files >> /home/analuakl/somethingsmushy.com/wp-content/plugins/wp-registration/SECURITY_PATCH_6.8.md
# Security Patch Notes - Version 6.8 ## Critical Vulnerability Fixed: CVE-2026-0844 **Severity**: High (CVSS 8.8) **Type**: Privilege Escalation **Affected Versions**: <= 6.7 ### Vulnerability Description The plugin was vulnerable to privilege escalation where authenticated users with minimal permissions (subscriber+) could escalate their privileges to administrator by manipulating the `profile_save_field` function. ### Root Causes Fixed 1. **Insufficient Authorization**: Users could modify any user's profile by changing the `current_user` parameter 2. **Unrestricted Meta Updates**: Code allowed updating arbitrary user metadata including `wp_capabilities` ### Security Fixes Implemented #### 1. Authorization Check (`inc/classes/class.profile.php`) ```php // Added proper authorization check $current_user_id = get_current_user_id(); if ($user_id !== $current_user_id && !current_user_can('edit_users')) { wp_send_json(array('status' => 'error', 'message' => __('Unauthorized access', 'wpr'))); } ``` #### 2. Meta Key Whitelisting (`inc/classes/class.user.php`) ```php // Implemented strict whitelist of allowed meta keys $allowed_meta_keys = array( 'first_name', 'last_name', 'description', 'nickname', 'display_name', 'user_url', 'wpr_phone', 'wpr_address' ); // Block capability-related keys if (strpos($key, 'capabilities') !== false || strpos($key, 'user_level') !== false) { continue; } ``` #### 3. Enhanced set_meta Protection ```php // Added capability protection to both set_meta functions if (strpos($key, 'capabilities') !== false || strpos($key, 'user_level') !== false) { return false; } ``` #### 4. Admin Function Authorization ```php // Added authorization to without_field_user_form_submit if (!current_user_can('manage_options')) { wp_send_json(array('status' => 'error', 'message' => __('Unauthorized access', 'wpr'))); } ``` ### Additional Security Hardening - Disabled debug mode (`WPR_DEBUG = false`) - Removed password storage in user meta - Enhanced input validation throughout ### Testing Performed - ✅ Verified reported exploit no longer works - ✅ Confirmed authorization checks function correctly - ✅ Tested all user roles and permission levels - ✅ Validated meta key restrictions prevent capability manipulation - ✅ Ran Plugin Check Plugin - all issues resolved ### Upgrade Instructions **IMMEDIATE ACTION REQUIRED**: Update to version 6.8 immediately to patch this critical security vulnerability. 1. Backup your site 2. Update plugin to version 6.8 3. Verify no unauthorized admin users exist 4. Review user roles and capabilities ### Contact For security-related questions, contact: security@najeebmedia.com
Copyright ©2021 || Defacer Indonesia