Connect with us

Tech News

ProfileGrid WordPress Plugin Vulnerability Allowed Admin Access

Published

on

Latest Hacking News

WordPress admins are urged to update their websites with the latest release of the ProfileGrid plugin. A critical privilege escalation vulnerability in the ProfileGrid plugin could potentially grant admin access to targeted WordPress sites.

ProfileGrid Plugin Vulnerability Exposed WordPress Sites

A recent post by the Wordfence team revealed details about a significant privilege escalation vulnerability in the ProfileGrid plugin, putting thousands of WordPress sites at risk.

ProfileGrid—User Profiles, Groups, and Communities is a specialized plugin for WordPress that enables users to create user profiles, communities, directories, groups, and other interactive features. With over 7,000 active installations, the plugin poses a significant risk to websites due to the identified vulnerability.

The vulnerability was found in the plugin’s pm_upload_image AJAX action, which lacked proper validation. An authenticated attacker could exploit this flaw to gain elevated privileges, potentially escalating from subscriber-level access to admin access on the target sites.

The vulnerability was assigned the CVE ID CVE-2024-6411, with a high severity rating and a CVSS score of 8.8. Security researcher Tieu Pham Trong Nhan from TechlabCorp initially discovered the issue and reported it through Wordfence’s bug bounty program, receiving a $488 bounty.

This vulnerability affected all versions of the plugin up to version 5.8.9. Following the bug report, Wordfence worked with the plugin developers to release a patch, which was included in ProfileGrid version 5.9.0 released earlier this month.

While there have been no reported exploits of this vulnerability in the wild, only 36.7% of users have updated to the latest release according to the plugin’s WordPress page. It is crucial for all WordPress users to promptly update their sites with the latest plugin version to mitigate the risk.

See also  Shapez 2 gets an Early Access release date and a new trailer to explain how it'll consume all your free time

Furthermore, users should also review all plugins on their websites for any security updates to prevent potential threats.

Share your thoughts in the comments section below.

Trending