WordPress admins should replace their web sites with the newest ProfileGrid plugin launch. A extreme privilege escalation vulnerability in ProfileGrid plugin may permit admin entry to focus on WordPress websites.
ProfileGrid Plugin Vulnerability Risked WordPress Websites
In a latest post, workforce Wordfence shared particulars a few critical privilege escalation vulnerability within the ProfileGrid plugin that threatened hundreds of WordPress websites.
ProfileGrid—Person Profiles, Teams, and Communities is a devoted plugin for WordPress websites that permits customers to arrange person profiles, communities, directories, teams, and different interactive interfaces. The plugin at the moment boasts over 7,000 energetic installations, hinting on the enormous variety of web sites doubtlessly in danger as a result of underlying plugin flaw.
As defined, the vulnerability affected the plugin’s pm_upload_image
AJAX motion resulting from an absence of validation. An authenticated adversary may exploit the flaw to realize elevated privileges, even gaining admin entry to the goal websites from subscriber-level entry.
The vulnerability obtained the CVE ID CVE-2024-6411, reaching a excessive severity score and a CVSS rating 8.8. It first caught the eye of safety researcher Tieu Pham Trong Nhan from TechlabCorp, who reported the matter by way of Wordfence’s bug bounty program, and gained $488 bounty.
This vulnerability affected all plugin variations till model 5.8.9. Following this bug report, Wordfence coordinated with the plugin builders for a patch, which the builders then rolled out with ProfileGrid model 5.9.0 launched earlier this month.
Though there seem no exploitation makes an attempt of this flaw within the wild, the plugin’s official WordPress page at the moment exhibits solely 36.7% operating the newest launch, whereas the remainder of the customers proceed to run the older, susceptible plugin variations. Therefore, given the menace, it’s essential for all WordPress customers to replace their websites with the newest plugin launch as quickly as attainable.
Furthermore, it’s additionally vital to examine all plugins operating on their web sites for attainable safety fixes with a view to keep away from potential threats.
Tell us your ideas within the feedback.