ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.4 – Missing Authorization | CVE 2024-3606 | Plugin Vulnerabilities

Description

The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments.

Affects Plugins

profilegrid-user-profiles-groups-and-communities

Fixed in 5.8.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c039d2fe-7518-4724-a025-6380a53fb58c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

2f8b47a4-f6b4-4824-a674-3ed8ac258563

Timeline

Publicly Published

2024-04-16 (about 2 years ago)

Added

2024-04-16 (about 2 years ago)

Last Updated

2024-04-16 (about 2 years ago)

Other

Published

Title

Published

2025-06-05

Title

Job Board Manager < 2.1.61 - Missing Authorization

Published

2023-01-10

Title

Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Template Import

Published

2025-12-30

Title

WpStream < 4.9.6 - Missing Authorization

Published

2025-10-11

Title

Togo < 1.0.4 - Missing Authorization

Published

2025-09-30

Title

Flights & Hotels Booking WP Plugin <= 3.1 - Missing Authorization