ProfileGrid WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Arbitrary Image Modification

A vulnerability exists in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, in all versions up to and including 5.9.7.2. The issue is an Insecure Direct Object Reference (IDOR) that allows authenticated users with Subscriber-level access and above to manipulate user profile and cover images. This vulnerability arises because the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions invoke the update_user_meta() function without proper user authorization checks. As a result, attackers can change any user's profile or cover image, including those of administrators.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user profile and cover images, potentially leading to impersonation or misrepresentation.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'pm_upload_image' or 'pm_upload_cover_image' AJAX actions. The request must include the 'user_id' parameter specifying the target user, along with the 'attachment_id' of the image to be uploaded. The absence of proper authorization checks allows the user to change the profile or cover image of any user, including administrators.

Remediation

Users are advised to update the ProfileGrid WordPress plugin to version 5.9.7.3 or later.