A security flaw in the ProfileGrid plugin for WordPress enables users with basic access to illegitimately upgrade their account permissions to the highest level, granting them full control over the site. This plugin allows users to integrate various functionalities on their website and has seen over 7,000 active installations.
The issue stems from a weakness in how the plugin handles user data, allowing malicious actors to modify their account information and gain administrator privileges.
The flaw was discovered during a cybersecurity event in late June 2024. Security researcher Tieu Pham Trong Nhan, known in the cybersecurity community as aptx4869, uncovered the vulnerability.
ProfileGrid is a popular user profile and membership plugin for WordPress. It offers features including profiles, groups, communities, paid memberships, directories, and private messaging. The vulnerability is rooted in the ‘pm_upload_image’ function within the Profile_Magic_Public class, which handles uploading, editing, or deleting a user’s profile picture.
The issue lies in the function’s implementation, which lacks proper validation and sanitisation checks. Specifically, the function allows authenticated users, including those with subscriber-level access, to update their user capabilities by supplying the ‘wp_capabilities’ array parameter during a profile picture update.
This oversight permits users to escalate their privileges to an administrator, potentially compromising the entire site.

The ‘pm_upload_image’ function’s primary flaw is its unrestricted ability to modify user metadata. During a profile picture update, the function fails to validate the user-supplied data, allowing attackers to inject arbitrary values into the ‘wp_capabilites’ array.
This lack of restrictions enables attackers to assign themselves administrative privileges, granting them full control over the WordPress site.
With this administrative access, attackers can upload malicious plugins or themes containing backdoors or other malicious codes, modify site content to redirect visitors to malicious sites or inject spam content, and manipulate user accounts to establish a foothold over the site further.
Researchers have urged users to download the patched version of the plugin, 5.9.0, which was released on July 3, 2024.
Recently, a supply chain attack targeted four WordPress plugins: WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, and SEO Optimised Images.
Last month, five WordPress plugins were found to grant administrative privileges to attackers. Furthermore, an Arbitrary Options Update Flaw in WordPress posed a risk to more than 40,000 websites in June 2024.
In the News: Cybercrooks exploit 0-day flaw in Internet Explorer for RCE attacks