Home Latest Cyber Security News | Network Security Hacking ProfileGrid WordPress Plugin Vulnerability Could Allow Admin Access
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

ProfileGrid WordPress Plugin Vulnerability Could Allow Admin Access

by Abeerah Hashim
written by Abeerah Hashim
WPML WP Plugin Vulnerability Risked 1M+ WordPress Websites

WordPress admins must update their websites with the latest ProfileGrid plugin release. A severe privilege escalation vulnerability in ProfileGrid plugin could allow admin access to target WordPress sites.

ProfileGrid Plugin Vulnerability Risked WordPress Sites

In a recent post, team Wordfence shared details about a serious privilege escalation vulnerability in the ProfileGrid plugin that threatened thousands of WordPress sites.

ProfileGrid—User Profiles, Groups, and Communities is a dedicated plugin for WordPress sites that allows users to set up user profiles, communities, directories, groups, and other interactive interfaces. The plugin currently boasts over 7,000 active installations, hinting at the huge number of websites potentially at risk due to the underlying plugin flaw.

As explained, the vulnerability affected the plugin’s pm_upload_image AJAX action due to a lack of validation. An authenticated adversary could exploit the flaw to gain elevated privileges, even gaining admin access to the target sites from subscriber-level access.

The vulnerability received the CVE ID CVE-2024-6411, achieving a high severity rating and a CVSS score 8.8. It first caught the attention of security researcher Tieu Pham Trong Nhan from TechlabCorp, who reported the matter via Wordfence’s bug bounty program, and won $488 bounty.

This vulnerability affected all plugin versions until version 5.8.9. Following this bug report, Wordfence coordinated with the plugin developers for a patch, which the developers then rolled out with ProfileGrid version 5.9.0 released earlier this month.

Although there appear no exploitation attempts of this flaw in the wild, the plugin’s official WordPress page currently shows only 36.7% running the latest release, whereas the rest of the users continue to run the older, vulnerable plugin versions. Hence, given the threat, it’s crucial for all WordPress users to update their sites with the latest plugin release as soon as possible.

Moreover, it’s also important to check all plugins running on their websites for possible security fixes in order to avoid potential threats.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Water Facilities Must Secure Exposed HMIs – Warns...

Microsoft December Patch Tuesday Arrived With 70+ Bug...

NachoVPN Attack Risks Corporate VPN Clients

Sweet Security Introduces Evolutionary Leap in Cloud Detection...

Anti-Spam WordPress Plugin Vulnerabilities Risked 200K+ Websites

RomCom Exploits Zero Days In Recent Backdoor Campaigns

Microsoft To Add Passkey Support With Windows 11

Apple Addressed Two Zero-Day Flaws In Intel-based Macs

Really Simple Security Plugin Flaw Risks 4+ Million...

Glove Stealer Emerges A New Malware Threat For...