CVE-2024-30241 – This SQL injection vulnerability in the Profile... (How to Fix)

Q: What is the severity of CVE-2024-30241?

CVE-2024-30241 has a CVSS score of 8.5 (HIGH). This SQL injection vulnerability in the ProfileGrid WordPress plugin allows attackers with contributor-level access to execute arbitrary SQL commands on the database. It affects all versions up to 5.7.1, potentially compromising WordPress sites using this plugin.

📋 TL;DR

This SQL injection vulnerability in the ProfileGrid WordPress plugin allows attackers with contributor-level access to execute arbitrary SQL commands on the database. It affects all versions up to 5.7.1, potentially compromising WordPress sites using this plugin.

💻 Affected Systems

Products:

ProfileGrid - User Profiles, Memberships, Groups and Communities

Versions: All versions up to and including 5.7.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires contributor-level user access to exploit. Affects WordPress installations with ProfileGrid plugin.

📦 What is this software?

Profilegrid by Metagauss

View all CVEs affecting Profilegrid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, site takeover, or data destruction.

🟠

Likely Case

Unauthorized data access, user information theft, and potential privilege escalation to administrator.

🟢

If Mitigated

Limited impact if proper input validation and least privilege are enforced, but still presents data leakage risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires contributor-level access. SQL injection techniques are well-documented and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/profilegrid-user-profiles-groups-and-communities/wordpress-profilegrid-user-profiles-memberships-groups-and-communities-plugin-5-7-1-contributor-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find ProfileGrid plugin. 4. Click 'Update Now' if update available. 5. If no update, download version 5.7.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable ProfileGrid plugin until patched to prevent exploitation.

wp plugin deactivate profilegrid-user-profiles-groups-and-communities

Restrict Contributor Access

all

Temporarily remove contributor roles or limit contributor permissions.

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Apply principle of least privilege: review and restrict contributor permissions

🔍 How to Verify

Check if Vulnerable:

Check ProfileGrid plugin version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin get profilegrid-user-profiles-groups-and-communities --field=version

Verify Fix Applied:

Verify plugin version is 5.7.2 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from contributor accounts
Unexpected database schema changes

Network Indicators:

Unusual database connection patterns
SQL error messages in HTTP responses

SIEM Query:

source="wordpress.log" AND "profilegrid" AND ("sql" OR "database" OR "query")

📊 Metadata

CVE ID: CVE-2024-30241

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: March 28, 2024

Last Updated: February 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30241, you might also want to check these: