Stored Cross-Site Scripting Vulnerability in ProfileGrid Plugin
CVE-2024-8861

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Profilegrid – User Profiles, Groups And Communities
Vendor: CVE Published:; 26 September 2024

What is CVE-2024-8861?

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting due to the improper implementation of the wp_kses_allowed_html function. This flaw exists in all versions up to and including 5.9.3.2. It permits authenticated users with Contributor-level access and above to exploit the system by injecting malicious web scripts into pages. These scripts will execute whenever an affected page is accessed by any user, potentially compromising the security of the website and its users.

Affected Version(s)

ProfileGrid – User Profiles, Groups and Communities * <= 5.9.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/profilegrid-us...

https://wordpress.org/plugins/profilegrid-user-profiles-g...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2024
Vulnerability Reserved
Sep 13, 2024

Credit

Francesco Carlucci