WordPress Plugin Vulnerabilities

ProfileGrid < 5.5.3 - Group Owner+ Unauthorized Data Modification

Description

The plugin does not adequately check capabilities on the 'edit_group' handler, enabling authenticated users with group ownership to improperly update group options, including the 'associate_role' parameter, which sets the member's role.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 5.5.3

References

CVE
CVE-2023-3714
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4766651-92a6-42c9-81bc-7ea25350f561

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
a6e426d5-7d16-41a4-94e8-67afcfca1dff

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-07-18 (about 2 years ago)
Last Updated
2023-07-18 (about 2 years ago)

Other

Published
Title
Published
2025-12-02
Title
Tiktok Feed < 1.0.24 - Missing Authorization
Published
2026-01-07
Title
Re Gallery < 1.18.10 - Missing Authorization
Published
2025-12-31
Title
Simple Like Page < 2.0.0 - Missing Authorization
Published
2024-02-14
Title
WP Setup Wizard < 1.0.8.2 - Authenticated (Subscriber+) Full Database Download
Published
2025-04-01
Title
Automatic Featured Images from Videos < 1.2.5 - Missing Authorization