Login Sign Up

CVE-2023-3713

8.8 HIGH
Authentication Bypass

📋 TL;DR

The ProfileGrid WordPress plugin up to version 5.5.1 has a missing capability check that allows authenticated users with subscriber-level permissions or higher to arbitrarily update WordPress site options. This vulnerability enables privilege escalation attacks where attackers can modify critical site settings. All WordPress sites using vulnerable ProfileGrid plugin versions are affected.

💻 Affected Systems

Products:
  • ProfileGrid - User Profiles, Groups and Communities WordPress Plugin
Versions: Up to and including 5.5.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with ProfileGrid plugin enabled. Any authenticated user (subscriber role or higher) can exploit this vulnerability.

📦 What is this software?

Profilegrid by Metagauss

View all CVEs affecting Profilegrid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access, take over the WordPress site, install backdoors, steal sensitive data, or deface the website.

🟠

Likely Case

Attackers escalate privileges to administrator level, modify site settings, inject malicious code, or create new admin accounts.

🟢

If Mitigated

Attackers can only view content but cannot modify site options or escalate privileges due to proper access controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has subscriber-level credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.2 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2938904/profilegrid-user-profiles-groups-and-communities

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ProfileGrid plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 5.5.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable ProfileGrid Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate profilegrid-user-profiles-groups-and-communities

Restrict User Registration

all

Disable new user registration to prevent attackers from obtaining subscriber accounts

Update WordPress Settings → General → Membership: Uncheck 'Anyone can register'

🧯 If You Can't Patch

  • Implement strict access controls and monitor user activity logs for suspicious option modifications
  • Use web application firewall (WAF) rules to block requests to vulnerable plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → ProfileGrid version. If version is 5.5.1 or lower, you are vulnerable.

Check Version:

wp plugin get profilegrid-user-profiles-groups-and-communities --field=version

Verify Fix Applied:

Verify ProfileGrid plugin version is 5.5.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized update_option() calls in WordPress debug logs
  • User role changes from subscriber to administrator
  • Suspicious POST requests to /wp-admin/admin-ajax.php with action=profile_magic_check_smtp_connection

Network Indicators:

  • Unusual admin-ajax.php requests from non-admin user accounts
  • POST requests modifying WordPress options from low-privilege users

SIEM Query:

source="wordpress.log" AND ("update_option" OR "profile_magic_check_smtp_connection") AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2023-3713
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: July 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON