ProfileGrid < 5.8.7 – Missing Authorization | CVE 2024-5453 | Plugin Vulnerabilities

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_dismissible_notice and pm_wizard_update_group_icon functions in all versions up to, and including, 5.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options to the value '1' or change group icons.

Affects Plugins

profilegrid-user-profiles-groups-and-communities

Fixed in 5.8.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7a44d182-2a43-47c0-ab2e-36c0514c1d47

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

418d3074-5db5-40f4-a722-0e5ef47cf120

Timeline

Publicly Published

2024-06-04 (about 1 year ago)

Added

2024-06-04 (about 1 year ago)

Last Updated

2024-06-05 (about 1 year ago)

Other

Published

Title

Published

2024-01-19

Title

ColorMag < 3.1.3 - Missing Authorization to Arbitrary Plugin Installation

Published

2025-12-02

Title

Tiktok Feed < 1.0.24 - Missing Authorization

Published

2024-05-31

Title

QQWorld Auto Save Images <= 1.9.8 - Missing Authorization to Arbitrary Post Content Retrieval

Published

2025-07-04

Title

Frontend File Manager <= 23.2 - Missing Authorization to Authenticated (Subscriber+) Content Injection

Published

2024-05-13

Title

YITH WooCommerce Gift Cards < 4.13.0 - Missing Authorization to Unauthenticated WooCommerce Settings Update