cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-10900,https://securityvulnerability.io/vulnerability/CVE-2024-10900,Unauthorized Modification of User Meta Data in ProfileGrid,"The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress has a vulnerability due to a missing capability check in the pm_remove_file_attachment() function. This issue, present in all versions up to and including 5.9.3.6, allows authenticated attackers with subscriber-level access or higher to delete arbitrary user metadata. This could potentially lead to severe disruptions, including the denial of access for administrators to their own sites, posing significant security concerns for WordPress users reliant on this plugin.",Wordpress,"Profilegrid – User Profiles, Groups And Communities",8.1,HIGH,0.0005099999834783375,false,,false,false,false,,false,false,2024-11-20T06:42:54.323Z,0
CVE-2024-8861,https://securityvulnerability.io/vulnerability/CVE-2024-8861,Stored Cross-Site Scripting Vulnerability in ProfileGrid Plugin,"The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting due to the improper implementation of the wp_kses_allowed_html function. This flaw exists in all versions up to and including 5.9.3.2. It permits authenticated users with Contributor-level access and above to exploit the system by injecting malicious web scripts into pages. These scripts will execute whenever an affected page is accessed by any user, potentially compromising the security of the website and its users.",Wordpress,"Profilegrid – User Profiles, Groups And Communities",5.4,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-09-26T07:34:37.160Z,0
CVE-2024-5453,https://securityvulnerability.io/vulnerability/CVE-2024-5453,Unauthorized Modification of Data Vulnerability in ProfileGrid Plugin,"The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_dismissible_notice and pm_wizard_update_group_icon functions in all versions up to, and including, 5.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options to the value '1' or change group icons.",Wordpress,"Profilegrid – User Profiles, Groups And Communities",4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-06-05T08:15:00.000Z,0
CVE-2024-3606,https://securityvulnerability.io/vulnerability/CVE-2024-3606,Unauthorized Data Deletion Vulnerability in ProfileGrid Plugin,"The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments.",Wordpress,"Profilegrid – User Profiles, Memberships, Groups And Communities",4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-02T16:52:33.934Z,0
CVE-2023-3404,https://securityvulnerability.io/vulnerability/CVE-2023-3404,Unauthorized Decryption Vulnerability in ProfileGrid Plugin for WordPress,"The ProfileGrid plugin for WordPress presents a serious vulnerability due to hardcoded passphrase and initialization vector (iv) in its 'pm_encrypt_decrypt_pass' function. This flaw affects all sites utilizing the plugin versions up to and including 5.5.0, enabling authenticated attackers with administrator-level access to decrypt and potentially expose users' passwords. If exploited in conjunction with additional vulnerabilities, this could allow users with lower privileges to gain access to sensitive information, raising significant cybersecurity concerns.",Wordpress,"ProfileGrid – User Profiles, Memberships, Groups and Communities",4.9,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2023-08-31T06:15:00.000Z,0
CVE-2023-3713,https://securityvulnerability.io/vulnerability/CVE-2023-3713,Unauthorized Data Modification in ProfileGrid Plugin for WordPress,"The ProfileGrid plugin for WordPress has a significant flaw that allows authenticated users with minimum subscriber-level permissions to exploit a missing capability check in the 'profile_magic_check_smtp_connection' function. This vulnerability can be leveraged to update site options without proper authorization, potentially leading to privilege escalation and unauthorized changes within the site configuration.",Wordpress,"ProfileGrid – User Profiles, Memberships, Groups and Communities",8.8,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2023-07-18T03:15:00.000Z,0
CVE-2023-3403,https://securityvulnerability.io/vulnerability/CVE-2023-3403,Unauthorized Data Modification in ProfileGrid Plugin for WordPress,"The ProfileGrid plugin for WordPress allows authenticated users with subscriber-level permissions or higher to exploit a flaw in the 'pm_upload_csv' function, leading to unauthorized modifications of user data. This vulnerability arises from a missing capability check, enabling attackers to import new users and alter existing user information without proper authorization, potentially compromising the integrity of user data.",Wordpress,"ProfileGrid – User Profiles, Memberships, Groups and Communities",4.3,MEDIUM,0.0005799999926239252,false,,false,false,false,,false,false,2023-07-18T03:15:00.000Z,0
CVE-2023-3714,https://securityvulnerability.io/vulnerability/CVE-2023-3714,Unauthorized Data Modification in ProfileGrid Plugin for WordPress,"The ProfileGrid plugin for WordPress is susceptible to unauthorized data manipulation due to insufficient capability checks on the 'edit_group' handler. This weakness allows authenticated attackers, who own specific groups, to modify critical group settings, including the 'associate_role' parameter that governs member roles. Although version 5.5.2 included a partial fix preventing privilege escalation, it is recommended to update to version 5.5.3, which resolves the vulnerability completely.",Wordpress,"ProfileGrid – User Profiles, Memberships, Groups and Communities",8.8,HIGH,0.00107999995816499,false,,false,false,false,,false,false,2023-07-18T03:15:00.000Z,0
CVE-2022-3578,https://securityvulnerability.io/vulnerability/CVE-2022-3578,ProfileGrid < 5.1.1 - Reflected Cross-Site Scripting,"The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting",Wordpress,"Profilegrid – User Profiles, Memberships, Groups And Communities",6.1,MEDIUM,0.0010999999940395355,false,,false,false,false,,false,false,2022-11-14T00:00:00.000Z,0
CVE-2022-0233,https://securityvulnerability.io/vulnerability/CVE-2022-0233,"ProfileGrid – User Profiles, Memberships, Groups and Communities <= 4.7.4 Authenticated Stored Cross-Site Scripting","The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pm_user_avatar and pm_cover_image parameters found in the ~/admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts into their profile, in versions up to and including 1.2.7.",Wordpress,"Profilegrid – User Profiles, Memberships, Groups And Communities",6.4,MEDIUM,0.0006300000241026282,false,,false,false,false,,false,false,2022-01-18T16:52:28.000Z,0