The ProfileGrid plugin (versions ≤ 5.9.4.4) for WordPress fails to implement capability checks in the `pm_decline_join_group_request` and `pm_approve_join_group_request` functions. This allows authenticated attackers with Subscriber-level permissions or higher to manipulate group join requests—a privilege intended only for administrators. The vulnerability stems from insufficient validation of user roles before executing group moderation actions, enabling unauthorized data modification.
DailyCVE Form:
Platform: WordPress
Version: ≤ 5.9.4.4
Vulnerability: Missing Authorization
Severity: Medium
Date: 03/26/2025
What Undercode Say:
Exploitation:
1. Attacker logs in as a Subscriber.
2. Sends crafted POST request to `wp-admin/admin-ajax.php`:
POST /wp-admin/admin-ajax.php HTTP/1.1 action=pm_approve_join_group_request&request_id=123
3. Server processes request without role validation.
Detection:
Check plugin version:
grep "Version:" wp-content/plugins/profilegrid/readme.txt
Mitigation:
1. Update to ProfileGrid ≥ 5.9.4.5.
2. Add capability checks in `functions.php`:
add_filter('user_has_cap', 'restrict_group_actions', 10, 4);
function restrict_group_actions($allcaps, $caps, $args, $user) {
if (in_array('approve_group_requests', $caps) && !$user->has_cap('manage_options')) {
$allcaps[bash] = false;
}
return $allcaps;
}
Analytics:
- CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
- Exploitability: Low (requires auth)
- Attack Vector: Web
- Patch: Vendor update
References:
Commands:
- Verify installed plugins:
wp plugin list --fields=name,version
- Temporary workaround (disable plugin):
wp plugin deactivate profilegrid
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1408
Extra Source Hub:
Undercode
