CVE-2024-13740

by Fred · 18/02/2025

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.4.2 via the pm_messenger_show_messages function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read private conversations of other users.

More information : https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.4.2/public/class-profile-magic-public.php#L1299

CVE-2024-13740

Similar

Recent Posts

Categories

CVE-2024-13740

Share this:

Similar

Recent Posts

Categories

Tags