Tech News
ProfileGrid WordPress Plugin Vulnerability Allowed Admin Access
WordPress admins are urged to update their websites with the latest release of the ProfileGrid plugin. A critical privilege escalation vulnerability in the ProfileGrid plugin could potentially grant admin access to targeted WordPress sites.
ProfileGrid Plugin Vulnerability Exposed WordPress Sites
A recent post by the Wordfence team revealed details about a significant privilege escalation vulnerability in the ProfileGrid plugin, putting thousands of WordPress sites at risk.
ProfileGrid—User Profiles, Groups, and Communities is a specialized plugin for WordPress that enables users to create user profiles, communities, directories, groups, and other interactive features. With over 7,000 active installations, the plugin poses a significant risk to websites due to the identified vulnerability.
The vulnerability was found in the plugin’s pm_upload_image
AJAX action, which lacked proper validation. An authenticated attacker could exploit this flaw to gain elevated privileges, potentially escalating from subscriber-level access to admin access on the target sites.
The vulnerability was assigned the CVE ID CVE-2024-6411, with a high severity rating and a CVSS score of 8.8. Security researcher Tieu Pham Trong Nhan from TechlabCorp initially discovered the issue and reported it through Wordfence’s bug bounty program, receiving a $488 bounty.
This vulnerability affected all versions of the plugin up to version 5.8.9. Following the bug report, Wordfence worked with the plugin developers to release a patch, which was included in ProfileGrid version 5.9.0 released earlier this month.
While there have been no reported exploits of this vulnerability in the wild, only 36.7% of users have updated to the latest release according to the plugin’s WordPress page. It is crucial for all WordPress users to promptly update their sites with the latest plugin version to mitigate the risk.
Furthermore, users should also review all plugins on their websites for any security updates to prevent potential threats.
Share your thoughts in the comments section below.
-
Tech News3 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation3 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Self Development4 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Destination4 months ago
Our new fixed tours are your ultimate Aussie & Kiwi adventure!
-
Breaking News4 months ago
Democrats and allies to flood airwaves, drop more than $125M on abortion push
-
Activities3 months ago
Family Holiday Checklist | What To Pack Family Holiday
-
Gaming3 months ago
Concord price, beta, preorder details for PS5 and PC confirmed
-
Destination3 months ago
Turkish Airlines carries 7.2 mn passengers in May, launches new sustainability brand, BA