Skip to content

ProfileGrid plugin vulnerability affects more than 7,000 websites

  • by
  • 3 min read

A security flaw in the ProfileGrid plugin for WordPress enables users with basic access to illegitimately upgrade their account permissions to the highest level, granting them full control over the site. This plugin allows users to integrate various functionalities on their website and has seen over 7,000 active installations.

The issue stems from a weakness in how the plugin handles user data, allowing malicious actors to modify their account information and gain administrator privileges.

The flaw was discovered during a cybersecurity event in late June 2024. Security researcher Tieu Pham Trong Nhan, known in the cybersecurity community as aptx4869, uncovered the vulnerability.

ProfileGrid is a popular user profile and membership plugin for WordPress. It offers features including profiles, groups, communities, paid memberships, directories, and private messaging. The vulnerability is rooted in the ‘pm_upload_image’ function within the Profile_Magic_Public class, which handles uploading, editing, or deleting a user’s profile picture.

The issue lies in the function’s implementation, which lacks proper validation and sanitisation checks. Specifically, the function allows authenticated users, including those with subscriber-level access, to update their user capabilities by supplying the ‘wp_capabilities’ array parameter during a profile picture update.

This oversight permits users to escalate their privileges to an administrator, potentially compromising the entire site.

A computer screen displaying the word 'Security'.

The ‘pm_upload_image’ function’s primary flaw is its unrestricted ability to modify user metadata. During a profile picture update, the function fails to validate the user-supplied data, allowing attackers to inject arbitrary values into the ‘wp_capabilites’ array.

This lack of restrictions enables attackers to assign themselves administrative privileges, granting them full control over the WordPress site.

With this administrative access, attackers can upload malicious plugins or themes containing backdoors or other malicious codes, modify site content to redirect visitors to malicious sites or inject spam content, and manipulate user accounts to establish a foothold over the site further.

Researchers have urged users to download the patched version of the plugin, 5.9.0, which was released on July 3, 2024.

Recently, a supply chain attack targeted four WordPress plugins: WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, and SEO Optimised Images.

Last month, five WordPress plugins were found to grant administrative privileges to attackers. Furthermore, an Arbitrary Options Update Flaw in WordPress posed a risk to more than 40,000 websites in June 2024.

In the News: Cybercrooks exploit 0-day flaw in Internet Explorer for RCE attacks

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>