Tech News
ProfileGrid WordPress Plugin Vulnerability Allowed Admin Access
WordPress admins are urged to update their websites with the latest release of the ProfileGrid plugin. A critical privilege escalation vulnerability in the ProfileGrid plugin could potentially grant admin access to targeted WordPress sites.
ProfileGrid Plugin Vulnerability Exposed WordPress Sites
A recent post by the Wordfence team revealed details about a significant privilege escalation vulnerability in the ProfileGrid plugin, putting thousands of WordPress sites at risk.
ProfileGrid—User Profiles, Groups, and Communities is a specialized plugin for WordPress that enables users to create user profiles, communities, directories, groups, and other interactive features. With over 7,000 active installations, the plugin poses a significant risk to websites due to the identified vulnerability.
The vulnerability was found in the plugin’s pm_upload_image
AJAX action, which lacked proper validation. An authenticated attacker could exploit this flaw to gain elevated privileges, potentially escalating from subscriber-level access to admin access on the target sites.
The vulnerability was assigned the CVE ID CVE-2024-6411, with a high severity rating and a CVSS score of 8.8. Security researcher Tieu Pham Trong Nhan from TechlabCorp initially discovered the issue and reported it through Wordfence’s bug bounty program, receiving a $488 bounty.
This vulnerability affected all versions of the plugin up to version 5.8.9. Following the bug report, Wordfence worked with the plugin developers to release a patch, which was included in ProfileGrid version 5.9.0 released earlier this month.
While there have been no reported exploits of this vulnerability in the wild, only 36.7% of users have updated to the latest release according to the plugin’s WordPress page. It is crucial for all WordPress users to promptly update their sites with the latest plugin version to mitigate the risk.
Furthermore, users should also review all plugins on their websites for any security updates to prevent potential threats.
Share your thoughts in the comments section below.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend