WordPress Plugin Vulnerabilities

ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference

Description

The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.7.9 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. It is unknown how this differs from CVE-2024-32808.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 5.8.0

References

CVE
CVE-2024-32772
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a5be103f-e174-47f9-8a1b-bb0d073c54e4

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Kyle Sanchez
Verified
No
WPVDB ID
ba08532e-c5b4-43b3-89c4-a0bd97f067d6

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-05-02 (about 2 years ago)
Last Updated
2024-05-02 (about 2 years ago)

Other

Published
Title
Published
2025-10-16
Title
Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-09-18
Title
Service Finder Bookings <= 6.0 - Unauthenticated Privilege Escalation via claim_business
Published
2024-05-15
Title
Tutor LMS – eLearning and online course solution < 2.7.1 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion
Published
2026-04-16
Title
LatePoint < 5.4.0 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
Published
2026-05-01
Title
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.26 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion