WordPress Plugin Vulnerabilities

ProfileGrid < 5.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.7.2 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above to perform an unauthorized action.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 5.7.3

References

CVE
CVE-2024-30513
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b2436028-9ac2-4232-bccf-26019a26e186

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Van Lyubov
Verified
No
WPVDB ID
ef407783-b080-4592-b34e-95ed3688a2a6

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-04-04 (about 2 years ago)

Other

Published
Title
Published
2025-01-31
Title
WP Job Portal < 2.2.7 - Insecure Direct Object Reference to Unauthenticated Company Logo Deletion
Published
2025-06-23
Title
MDJM Event Management <= 1.7.8.2 - Subscriber+ Privilege Escalation
Published
2026-01-06
Title
Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover
Published
2025-05-05
Title
User Registration & Membership – Custom Registration Form, Login Form, and User Profile < 4.2.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion
Published
2026-04-16
Title
LatePoint < 5.4.0 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID