CVE-2024-5453
📋 TL;DR
The ProfileGrid WordPress plugin has a missing capability check vulnerability that allows authenticated users with Subscriber-level access or higher to modify arbitrary plugin options to '1' or change group icons. This affects all versions up to and including 5.8.6. Attackers can manipulate plugin settings without proper authorization.
💻 Affected Systems
- ProfileGrid – User Profiles, Groups and Communities WordPress plugin
📦 What is this software?
Profilegrid by Metagauss
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable security features, modify user permissions, or corrupt plugin functionality by changing critical options to '1', potentially leading to privilege escalation or service disruption.
Likely Case
Attackers will change visible settings like group icons or notification preferences, causing minor configuration issues but not critical system compromise.
If Mitigated
With proper access controls and monitoring, impact is limited to non-critical configuration changes that can be easily reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - attackers just need to call vulnerable functions with appropriate parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find ProfileGrid plugin
4. Click 'Update Now' if available
5. Alternatively, download version 5.8.7+ from WordPress repository
6. Upload and replace existing plugin files
🔧 Temporary Workarounds
Temporary Capability Restriction
allTemporarily restrict Subscriber role capabilities using a security plugin
Install and configure WordPress security plugin like Wordfence or iThemes Security to monitor user actions
Plugin Deactivation
linuxTemporarily disable ProfileGrid plugin until patched
wp plugin deactivate profilegrid-user-profiles-groups-and-communities
🧯 If You Can't Patch
- Implement strict user role management - review and minimize Subscriber-level users
- Enable detailed logging of plugin option changes and monitor for unauthorized modifications
🔍 How to Verify
Check if Vulnerable:
Check ProfileGrid plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is 5.8.6 or lower, you are vulnerable.Check Version:
wp plugin get profilegrid-user-profiles-groups-and-communities --field=versionVerify Fix Applied:
After update, verify plugin version shows 5.8.7 or higher. Test with Subscriber account that pm_dismissible_notice and pm_wizard_update_group_icon functions now require proper permissions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to admin-ajax.php with pm_dismissible_notice or pm_wizard_update_group_icon actions
- Unexpected changes to ProfileGrid plugin options in database
Network Indicators:
- POST requests from low-privilege users to WordPress admin endpoints with suspicious parameters
SIEM Query:
source="wordpress.log" AND (action="pm_dismissible_notice" OR action="pm_wizard_update_group_icon") AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L1378
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L2006
- https://plugins.trac.wordpress.org/changeset/3095503/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php?contextall=1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7a44d182-2a43-47c0-ab2e-36c0514c1d47?source=cve
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L1378
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L2006
- https://plugins.trac.wordpress.org/changeset/3095503/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php?contextall=1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7a44d182-2a43-47c0-ab2e-36c0514c1d47?source=cve
