vulnerability
WordPress Plugin: profilegrid-user-profiles-groups-and-communities: CVE-2023-3714: Missing Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:H/Au:S/C:C/I:C/A:C) | Jul 17, 2023 | May 15, 2025 | May 15, 2025 |
Severity
7
CVSS
(AV:N/AC:H/Au:S/C:C/I:C/A:C)
Published
Jul 17, 2023
Added
May 15, 2025
Modified
May 15, 2025
Description
The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'edit_group' handler in versions up to, and including, 5.5.2. This makes it possible for authenticated attackers, with group ownership, to update group options, including the 'associate_role' parameter, which defines the member's role. This issue was partially patched in version 5.5.2 preventing privilege escalation, however, it was fully patched in 5.5.3.
Solution
profilegrid-user-profiles-groups-and-communities-plugin-cve-2023-3714
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.