[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8-1FGlaH08hJ4R7t4IR2aCvxzA7cFxXsDI04N2by1eo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2025-13416","profilegrid-user-profiles-groups-and-communities-missing-authorization-to-authenticated-subscriber-arbitrary-user-suspen","ProfileGrid – User Profiles, Groups and Communities \u003C= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension","The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.","profilegrid-user-profiles-groups-and-communities",null,"\u003C=5.9.7.2","5.9.7.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-04 20:24:28","2026-02-05 08:25:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=api-prod",1,[],"researched",false,3,"This research plan outlines the process for analyzing and exploiting **CVE-2025-13416** in the ProfileGrid plugin.\n\n### 1. Vulnerability Summary\nThe **ProfileGrid** plugin (up to 5.9.7.2) contains a missing authorization vulnerability in the `pm_deactivate_user_from_group()` function. While the function may implement a nonce check (CSRF protection), it fails to verify if the requesting user has the administrative capabilities required to suspend other users. This allows any authenticated user (Subscriber level and above) to deactivate or suspend other users—including administrators—from specific groups or the entire platform, depending on the internal logic of the function.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `pm_deactivate_user_from_group`\n*   **Authentication Required:** Authenticated, Subscriber level or higher (`PR:L`).\n*   **Vulnerable Parameter:** `user_id` (likely), `group_id` (likely).\n*   **Preconditions:** \n    1.  The attacker must have a valid Subscriber account.\n    2.  The target user must exist.\n    3.  A valid nonce for the `pm_deactivate_user_from_group` action or a general ProfileGrid AJAX nonce must be obtained.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=pm_deactivate_user_from_group`.\n2.  **Hook Registration:** The plugin registers the action, likely in `admin\u002Fclass-profile-magic-admin.php` or `includes\u002Fclass-profile-magic-ajax.php`:\n    `add_action('wp_ajax_pm_deactivate_user_from_group', 'pm_deactivate_user_from_group');`\n3.  **Vulnerable Function:** The handler `pm_deactivate_user_from_group()` is executed.\n4.  **Missing Check:** The function likely calls `check_ajax_referer()` (verifying the nonce) but fails to call `current_user_can('manage_options')` or a similar check.\n5.  **Sink:** The function proceeds to update the user's status in the ProfileGrid database table (e.g., `wp_pm_users` or `wp_pm_group_members`) or updates a user meta key (e.g., `pm_user_status`) to a value representing \"deactivated\" or \"suspended\".\n\n### 4. Nonce Acquisition Strategy\nProfileGrid typically localizes its AJAX nonces for use in the frontend\u002Fadmin dashboard.\n\n1.  **Identify Shortcode:** ProfileGrid uses shortcodes like `[profilegrid_user_groups]` or `[profilegrid_group_wall]` to render its interface.\n2.  **Create Trigger Page:** Create a page containing a ProfileGrid shortcode to ensure the necessary scripts and nonces are loaded.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"PG Test\" --post_content='[profilegrid_user_groups]'\n    ```\n3.  **Navigate and Extract:** Use the browser to access the page as a Subscriber and extract the nonce from the localized JS object. ProfileGrid often uses the variable name `profile_magic_vars` or `pm_ajax_object`.\n4.  **Verification of JS Object:**\n    *   Search code for localization: `grep -r \"wp_localize_script\" .`\n    *   The expected JS access path is likely: `window.profile_magic_vars?.ajax_nonce` or `window.pm_ajax_object?.nonce`.\n\n### 5. Exploitation Strategy\nThe exploit involves sending a crafted POST request to the AJAX endpoint.\n\n*   **Target URL:** `http:\u002F\u002F\u003Ctarget-ip>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Parameters:**\n    *   `action`: `pm_deactivate_user_from_group`\n    *   `security` or `nonce`: (The nonce value extracted in Step 4)\n    *   `user_id`: The ID of the user to suspend (e.g., `1` for the administrator).\n    *   `group_id`: The ID of a group the user belongs to (inferred requirement).\n\n**Step-by-step Execution:**\n1.  **Setup Users:** Ensure a target Administrator (ID 1) and an attacker Subscriber (ID 2) exist.\n2.  **Setup Group:** Create a ProfileGrid group and add the Administrator to it using WP-CLI.\n3.  **Get Nonce:** Log in as Subscriber, navigate to the page created in Section 4, and use `browser_eval` to grab the nonce.\n4.  **Trigger Suspension:** Use `http_request` to send the payload.\n5.  **Expected Response:** A JSON response indicating success (e.g., `{\"success\": true}` or `1`).\n\n### 6. Test Data Setup\n1.  **Create Attacker:**\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n2.  **Create Group (Inferred PG CLI\u002FDB):**\n    If `wp profilegrid` commands aren't available, check the database for the groups table (e.g., `wp_pm_groups`) and ensure at least one group exists.\n3.  **Add Admin to Group:** ProfileGrid usually stores group memberships in a custom table. Use `wp db query` to insert a record mapping User ID 1 to a valid Group ID.\n\n### 7. Expected Results\n*   The AJAX response should return a success code.\n*   The target user should no longer be able to access group features or, if the deactivation is global, should be blocked from logging in (depending on how ProfileGrid handles \"deactivation\").\n*   A \"User Suspended\" or \"User Deactivated\" flag should be visible in the database for that user.\n\n### 8. Verification Steps\n1.  **Check User Meta:** Check for changes in user status meta.\n    `wp usermeta get 1 pm_user_status` (Check if value is 'deactivated')\n2.  **Check Database Tables:**\n    `wp db query \"SELECT * FROM wp_pm_group_members WHERE user_id = 1\"`\n    Check if a status column (e.g., `is_active`) has changed from `1` to `0`.\n3.  **Login Attempt:** Attempt to log in as the Administrator (if deactivation is global) and verify if the login is blocked or a ProfileGrid error message is shown.\n\n### 9. Alternative Approaches\n*   **Different Nonce Actions:** If `pm_deactivate_user_from_group` requires a specific nonce that isn't easily found, search the code for any `wp_create_nonce` calls that use a very broad action like `profile-magic-nonce` or `-1`.\n*   **Varying Parameters:** Some ProfileGrid versions use `uid` instead of `user_id` or `gid` instead of `group_id`. Verify parameter names by grepping the function definition: \n    `grep -A 10 \"function pm_deactivate_user_from_group\" \u003Cfile_path>`\n*   **Global Deactivation:** If group-specific deactivation fails, look for related actions like `pm_deactivate_user` which might share the same missing authorization flaw.","The ProfileGrid plugin for WordPress fails to perform an authorization check in the `pm_deactivate_user_from_group` AJAX handler. This allows any authenticated user, such as a subscriber, to suspend other users—including administrators—from groups or the platform by providing the target's user ID and a valid security nonce.","--- a\u002Fadmin\u002Fclass-profile-magic-admin.php\n+++ b\u002Fadmin\u002Fclass-profile-magic-admin.php\n@@ -124,6 +124,11 @@\n function pm_deactivate_user_from_group() {\n     check_ajax_referer('profile-magic-nonce', 'security');\n \n+    if (!current_user_can('manage_options')) {\n+        wp_send_json_error('Unauthorized');\n+        wp_die();\n+    }\n+\n     $user_id = isset($_POST['user_id']) ? intval($_POST['user_id']) : 0;\n     $group_id = isset($_POST['group_id']) ? intval($_POST['group_id']) : 0;","To exploit this vulnerability, an attacker must first log in with Subscriber-level credentials. By visiting a page where ProfileGrid shortcodes are active, the attacker extracts the necessary security nonce from the localized `profile_magic_vars` or `pm_ajax_object` JavaScript variable. Using this nonce, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the `action` parameter set to `pm_deactivate_user_from_group`. By including the `user_id` of a target (such as the site administrator) and a valid `group_id`, the attacker can successfully suspend the target user because the server-side handler lacks a `current_user_can()` check.","gemini-3-flash-preview","2026-04-27 15:09:41","2026-04-27 15:10:46",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","5.9.7.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags\u002F5.9.7.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofilegrid-user-profiles-groups-and-communities.5.9.7.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags\u002F5.9.7.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofilegrid-user-profiles-groups-and-communities.5.9.7.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofilegrid-user-profiles-groups-and-communities\u002Ftags"]