Remote attackers were able create their own admin accounts
A vulnerability in a popular WordPress user role plugin lets any random person create an admin-level account on targeted websites.
The bug in Profile Builder was given a CVSS score of 10.0 by WordPress security biz Wordfence, though precise details of the bug are not yet available on the usual CVE-tracking websites.
According to Wordfence: "A bug in the form handler made it possible for a malicious user to submit input on form fields that didn't exist in the actual form. Specifically, if the site's administrator didn't add the User Role field to the form, an attacker could still inject a user role value into their form submission."
Profile Builder is a form-building plugin used mainly for blogs and websites with comment sections. Going by the description on the WordPress.org plugin
Support the originator by clicking the read the rest link below.
