[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffhrRCmFrjxWEmftpM6YoeGrMAUZrdETYotvBnf6mqmE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1271","profilegrid-insecure-direct-object-reference-to-authenticated-subscriber-arbitrary-user-profile-and-cover-image-modifica","ProfileGrid \u003C= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification","The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public\u002Fpartials\u002Fcrop.php and public\u002Fpartials\u002Fcoverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators.","profilegrid-user-profiles-groups-and-communities",null,"\u003C=5.9.7.2","5.9.7.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-02-04 20:36:46","2026-02-05 09:15:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F712535ce-8c38-4944-aa0a-36d9bacaeb67?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1271 (ProfileGrid IDOR)\n\n## 1. Vulnerability Summary\nThe **ProfileGrid** plugin for WordPress is vulnerable to an **Insecure Direct Object Reference (IDOR)** in versions up to and including 5.9.7.2. The vulnerability exists in the handling of the `pm_upload_image` and `pm_upload_cover_image` AJAX actions. Specifically, the files `public\u002Fpartials\u002Fcrop.php` and `public\u002Fpartials\u002Fcoverimg_crop.php` (included during the AJAX call) utilize the `update_user_meta()` function using a user-controlled identifier (likely `uid` or `user_id`) without verifying if the authenticated user has the authority to modify the target user's profile. This allows a Subscriber-level user to overwrite the profile picture or cover image of any user, including administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions:** `pm_upload_image` and `pm_upload_cover_image`\n- **Authentication:** Authenticated (Subscriber or higher)\n- **Vulnerable Parameters:**\n    - `uid` or `user_id` (inferred): The ID of the user whose profile is being modified.\n    - `image_data` (inferred): The cropped image data or path to be saved.\n- **Preconditions:** The attacker must be logged in as a Subscriber and obtain a valid nonce for the ProfileGrid AJAX interface.\n\n## 3. Code Flow\n1. **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with `action=pm_upload_image`.\n2. **Hook Registration:** The plugin registers the action (likely in `includes\u002Fclass-profile-grid.php` or `public\u002Fclass-profile-grid-public.php`):\n   ```php\n   add_action('wp_ajax_pm_upload_image', array($this, 'pm_upload_image_handler'));\n   ```\n3. **Handler Execution:** The handler function processes the request and includes the vulnerable partial:\n   ```php\n   \u002F\u002F Inside pm_upload_image_handler\n   include(PROFILEGRID_PLUGIN_DIR . 'public\u002Fpartials\u002Fcrop.php');\n   ```\n4. **The Sink (crop.php):** The file extracts a user ID from the request (e.g., `$_POST['uid']`) and calls `update_user_meta()` without checking if the current user ID matches the target UID.\n   ```php\n   \u002F\u002F Vulnerable Logic (approximate)\n   $target_uid = $_POST['uid']; \n   \u002F\u002F ... processing image ...\n   update_user_meta($target_uid, 'profile_image', $new_image_path);\n   ```\n\n## 4. Nonce Acquisition Strategy\nProfileGrid typically localizes nonces into a JavaScript object.\n\n1. **Identify Script Localization:** Search for `wp_localize_script` in the plugin folder to find the variable name.\n   ```bash\n   grep -r \"wp_localize_script\" .\n   ```\n2. **Setup Test Page:** Create a page containing a ProfileGrid shortcode (e.g., User Profile or Group) to ensure the scripts and nonces are loaded.\n   - Target Shortcode: `[profilegrid_profile]` or `[profilegrid_user_dashboard]` (inferred).\n   - Command: `wp post create --post_type=page --post_status=publish --post_title=\"Profile\" --post_content='[profilegrid_profile]'`\n3. **Extraction:**\n   - Navigate to the newly created page as the Subscriber user.\n   - Use `browser_eval` to extract the nonce.\n   - **Target Variable (inferred):** `window.profilegrid_vars?.ajax_nonce` or `window.pg_ajax?.nonce`. (Check the grep results for the exact key).\n\n## 5. Exploitation Strategy\n### Step 1: Data Gathering\n1. Identify the Administrator's User ID (usually `1`).\n2. Identify the Subscriber's User ID.\n3. Extract the `nonce` and identify the parameter name for the user ID (likely `uid`).\n\n### Step 2: Crafting the Request\nSend a POST request to modify the Admin's profile image.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Subscriber Cookies]`\n- **Body:**\n  ```text\n  action=pm_upload_image&uid=1&nonce=[NONCE]&crop_data=[IMAGE_DATA\u002FPATH]\n  ```\n  *(Note: The exact structure of `crop_data` or image parameters needs to be verified by looking at the JS source or `crop.php`.)*\n\n### Step 3: Repeat for Cover Image\n- **Action:** `pm_upload_cover_image`\n- **Vulnerable File:** `public\u002Fpartials\u002Fcoverimg_crop.php`\n\n## 6. Test Data Setup\n1. **Target Admin:** Ensure user ID 1 exists.\n2. **Attacker:** Create a subscriber: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`.\n3. **Page Setup:** Create a profile page to trigger nonce generation:\n   `wp post create --post_type=page --post_status=publish --post_content='[profilegrid_user_dashboard]'`\n\n## 7. Expected Results\n- The server returns a success response (e.g., `{\"success\": true}` or a URL to the \"new\" image).\n- The `profile_image` or `cover_image` meta-key for the Administrator (UID 1) is updated to a value chosen by the Subscriber.\n\n## 8. Verification Steps\nAfter running the exploit, use WP-CLI to check the target user's meta data:\n```bash\n# Check profile image meta\nwp user meta get 1 profile_image\n# Check cover image meta (meta key might be 'cover_image' or 'pg_cover_image')\nwp user meta get 1 pg_cover_image \n```\nIf the value matches the one sent in the exploit payload, the IDOR is confirmed.\n\n## 9. Alternative Approaches\nIf `pm_upload_image` requires complex image data (base64 or multipart), check if the plugin supports a simple path update.\n1. **Check for missing `current_user_can`:** If the nonce is valid but the plugin fails to check permissions, any metadata associated with images could be changed.\n2. **Check for `wp_ajax_nopriv`:** While the CVE specifies Subscriber+, check if `wp_ajax_nopriv_pm_upload_image` exists, which would escalate this to an unauthenticated vulnerability.","The ProfileGrid plugin for WordPress (\u003C= 5.9.7.2) is vulnerable to an Insecure Direct Object Reference (IDOR) via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. Authenticated attackers, such as Subscribers, can change the profile picture or cover image of any user, including administrators, by supplying a target user's ID in the request.","\u002F\u002F public\u002Fpartials\u002Fcrop.php\n$target_uid = $_POST['uid']; \n\u002F\u002F ... processing image ...\nupdate_user_meta($target_uid, 'profile_image', $new_image_path);\n\n---\n\n\u002F\u002F public\u002Fpartials\u002Fcoverimg_crop.php\n$target_uid = $_POST['uid']; \n\u002F\u002F ... processing image ...\nupdate_user_meta($target_uid, 'pg_cover_image', $new_image_path);","--- a\u002Fpublic\u002Fpartials\u002Fcrop.php\n+++ b\u002Fpublic\u002Fpartials\u002Fcrop.php\n@@ -1,4 +1,7 @@\n $target_uid = $_POST['uid'];\n+if (!current_user_can('manage_options') && get_current_user_id() != $target_uid) {\n+    wp_die(__('You do not have permission to perform this action.', 'profilegrid-user-profiles-groups-and-communities'));\n+}\n \u002F\u002F ... processing image ...\n update_user_meta($target_uid, 'profile_image', $new_image_path);\n\n--- a\u002Fpublic\u002Fpartials\u002Fcoverimg_crop.php\n+++ b\u002Fpublic\u002Fpartials\u002Fcoverimg_crop.php\n@@ -1,4 +1,7 @@\n $target_uid = $_POST['uid'];\n+if (!current_user_can('manage_options') && get_current_user_id() != $target_uid) {\n+    wp_die(__('You do not have permission to perform this action.', 'profilegrid-user-profiles-groups-and-communities'));\n+}\n \u002F\u002F ... processing image ...\n update_user_meta($target_uid, 'pg_cover_image', $new_image_path);","To exploit this vulnerability, an attacker first authenticates as a Subscriber and visits a page containing a ProfileGrid shortcode (like a user dashboard) to extract the localized AJAX nonce (typically found in a JavaScript variable like 'profilegrid_vars'). The attacker then crafts a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' using either the 'pm_upload_image' or 'pm_upload_cover_image' action. By setting the 'uid' parameter to the target user's ID (e.g., '1' for the site administrator) and providing valid image or crop data, the attacker can overwrite the target user's profile or cover image metadata because the plugin fails to verify if the requesting user has the authority to modify that specific user's profile.","gemini-3-flash-preview","2026-04-27 15:07:04","2026-04-27 15:08:05",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.9.7.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags\u002F5.9.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofilegrid-user-profiles-groups-and-communities.5.9.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags\u002F5.9.7.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofilegrid-user-profiles-groups-and-communities.5.9.7.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags"]