CVE-2024-10900
📋 TL;DR
The ProfileGrid WordPress plugin has an authorization vulnerability that allows authenticated users (even with low-privilege subscriber accounts) to delete arbitrary user metadata. This can lead to denial of service by removing administrator access capabilities. All WordPress sites using ProfileGrid up to version 5.9.3.6 are affected.
💻 Affected Systems
- ProfileGrid – User Profiles, Groups and Communities WordPress plugin
📦 What is this software?
Profilegrid by Metagauss
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete critical user metadata for all administrators, completely locking them out of their WordPress sites and requiring database-level recovery.
Likely Case
Attackers delete administrator metadata to cause temporary site access denial, potentially combined with other attacks for privilege escalation.
If Mitigated
With proper user role management and monitoring, impact is limited to temporary service disruption requiring metadata restoration.
🎯 Exploit Status
Exploitation requires authenticated access but is simple to execute. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.3.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ProfileGrid plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.9.3.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable ProfileGrid Plugin
allTemporarily deactivate the vulnerable plugin until patched
wp plugin deactivate profilegrid-user-profiles-groups-and-communities
Restrict User Registration
allDisable new user registration to prevent attacker account creation
Update WordPress Settings → General → Membership to 'Anyone can register' = unchecked
🧯 If You Can't Patch
- Implement strict user role management and monitor for suspicious subscriber activity
- Add web application firewall rules to block requests to pm_remove_file_attachment function from non-admin users
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → ProfileGrid version. If version is 5.9.3.6 or lower, you are vulnerable.Check Version:
wp plugin get profilegrid-user-profiles-groups-and-communities --field=versionVerify Fix Applied:
After update, confirm ProfileGrid version is 5.9.3.7 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=pm_remove_file_attachment from non-admin users
- Unusual user_meta deletion events in WordPress logs
Network Indicators:
- HTTP requests containing 'pm_remove_file_attachment' parameter from low-privilege user sessions
SIEM Query:
source="wordpress.log" AND "pm_remove_file_attachment" AND (user_role="subscriber" OR user_role="contributor" OR user_role="author")🔗 References
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L1902
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3190069%40profilegrid-user-profiles-groups-and-communities&new=3190069%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a0e5fcfa-ebc9-45f6-9cbc-c9e3540baa6f?source=cve
