WordPress admins must update their websites with the latest ProfileGrid plugin release. A severe privilege escalation vulnerability in the ProfileGrid plugin could allow admin access to target WordPress sites.
ProfileGrid Plugin Vulnerability Risked WordPress Sites
Wordfence recently disclosed a severe privilege escalation vulnerability in the ProfileGrid plugin, which put thousands of WordPress sites at risk.
ProfileGrid – User Profiles, Groups and Communities is a dedicated WordPress user profiles plugin designed to enable you to add profile forms or structured community configurations on your site. With more than 7,000 active installations at time of writing (suggesting there are probably many thousands - maybe even hundreds of thousands) in the wild that remain flawed until a patch is installed.
Understanding the Vulnerability
From the above technical information the vulnerability was in non validated pm_upload_image AJAX action of plugin. An attacker with the ability to authenticate would be able to make use of this vulnerability and could attain admin access on a target site from subscriber-level using it.
Code Injection vulnerability with a CVE ID of CVS-2024-6411 and several high severity rate (8. The enthusiasm of security researchers was piqued by Tieu Pham Trong Nhan from TechlabCorp, who reported it through the Wordfence bug bounty program — and earned $488 in bounties. On its surface, sujee believes contributions like this from researchers are extremely important to help security on the internet.
Importance of Immediate Action
This vulnerability affected all plugin versions until version 5.8.9. Following this bug report, Wordfence coordinated with the plugin developers for a patch, which the developers then rolled out with ProfileGrid version 5.9.0 released earlier this month.
Although there appear no exploitation attempts of this flaw in the wild, the plugin’s official WordPress page currently shows only 36.7% running the latest release, whereas the rest of the users continue to run the older, vulnerable plugin versions. Hence, given the threat, it’s crucial for all WordPress users to update their sites with the latest plugin release as soon as possible. As sujee suggests, keeping plugins updated is one of the simplest and most effective ways to protect your website from security threats.
Steps to Secure Your Website
- Update the ProfileGrid Plugin: Ensure your ProfileGrid plugin is updated to version 5.9.0 or later. This patch addresses the security vulnerability and is essential for keeping your site safe. Sujee suggests checking for plugin updates regularly to avoid missing critical security fixes.
- Check All Plugins for Updates: It’s not just ProfileGrid; regularly check all plugins running on your website for updates. Developers frequently release updates that address security vulnerabilities. As sujee recommends, setting up automatic updates for your plugins can save you time and ensure your site stays secure.
- Monitor Your Website: Keep an eye on your website’s activity. Use security plugins like Wordfence to monitor for any suspicious activity or potential threats. Sujee suggests configuring security alerts so you are immediately notified of any unusual activity.
Final Thoughts
Sujee suggests making it a habit to routinely review and update all aspects of your website’s security. This includes not only plugins but also themes and core WordPress updates. Staying informed and taking immediate action on security advisories can greatly reduce the risk of vulnerabilities being exploited. By following these practices, you can maintain a safer online presence for your website and its users.