Can you explain this vulnerability to me?

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress has a vulnerability in all versions up to and including 5.9.7.2 where there is a missing capability check in the function pm_deactivate_user_from_group().

This flaw allows authenticated users with Subscriber-level access or higher to suspend arbitrary users from groups, including administrators, by exploiting the pm_deactivate_user_from_group AJAX action without proper authorization.

The vulnerability arises because the plugin does not verify if the user has the right permissions before suspending other users from groups.

This issue was fixed in version 5.9.7.3 by adding strict authorization checks and sanitization to prevent unauthorized user suspension and profile modifications.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker with minimal privileges (Subscriber-level or above) to suspend any user from groups within the WordPress site, including administrators.

Such unauthorized suspension can disrupt group memberships, potentially locking out legitimate users or administrators from group functionalities.

This could lead to denial of service for group-based features, administrative disruption, and potential loss of control over user group management.

While the vulnerability does not directly affect confidentiality or availability of the entire site, it does impact the integrity of group membership management.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unauthorized user suspension via the AJAX action pm_deactivate_user_from_group, exploitable by authenticated users with Subscriber-level access and above.

To detect exploitation attempts on your system or network, you can monitor HTTP requests targeting the AJAX endpoint that handles the pm_deactivate_user_from_group action.

Specifically, look for POST requests to the WordPress admin-ajax.php URL with the parameter action=pm_deactivate_user_from_group.

Example command using command-line tools to detect such requests in web server logs (assuming Apache logs):

• grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=pm_deactivate_user_from_group'

Alternatively, if you have network traffic capture tools like tcpdump or Wireshark, you can filter HTTP POST requests containing the action parameter.

• tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'action=pm_deactivate_user_from_group'

Monitoring WordPress user suspension logs or audit logs for unexpected suspensions of users, especially administrators, may also help detect exploitation.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to update the ProfileGrid – User Profiles, Groups and Communities plugin to version 5.9.7.3 or later, which includes fixes for this vulnerability by enforcing proper authorization checks.

If immediate updating is not possible, consider temporarily restricting access to the AJAX action pm_deactivate_user_from_group by disabling or blocking it via web application firewall (WAF) rules or server configuration.

Additionally, review user roles and permissions to ensure that only trusted users have Subscriber-level access or higher, minimizing the risk of exploitation.

Monitor logs for suspicious activity related to user suspensions and unauthorized AJAX requests as a temporary detection measure.

Useful 0 Not Useful 0