Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability in the Bricksforge WordPress plugin could allow unauthenticated attackers to create new administrator accounts on affected sites. This issue stems from improper validation of a parameter within the Pro Forms registration feature, potentially enabling the addition of attacker-supplied field IDs to a trusted list. The main concern is confirming whether your WordPress sites use this specific plugin with its user registration functionality enabled, as this would create an exposure risk.
- Attackers can add new admins to your site.
- Public registration forms are the potential entry point.
- Verify plugin use and configuration to assess risk.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker can exploit this vulnerability by targeting a publicly accessible Bricksforge Pro Forms registration form. By sending a specially crafted request containing attacker-supplied field IDs, the attacker can trick the plugin into adding these IDs to a trusted list. This allows the attacker to register a new administrator account, potentially leading to full control of the WordPress site.
- Requires public Pro Forms registration form.
- Triggers by submitting crafted registration request.
- Grants administrator privileges to attacker.
Live Threat
Current exploitation, exposure, and threat context
Unauthenticated attackers could potentially create a new administrator account on a WordPress site that has a publicly accessible Bricksforge Pro Forms element configured with the User Registration action. This is possible due to insufficient validation of user-supplied field IDs when registering new forms.
- Website administrator access.
- Via a crafted request to a registration form.
- Unauthorized control over the website.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Bricksforge plugin's privilege escalation vulnerability necessitates action from WordPress administrators and security teams. The first practical step is to identify all WordPress instances utilizing the Bricksforge plugin, specifically those with Pro Forms configured for user registration and accessible publicly. Subsequently, confirm the business criticality of these instances and the potential exposure to unauthenticated attackers before planning remediation.
- WordPress administrators own the issue.
- Verify public Pro Forms with user registration.
- Plan remediation for exposed instances.