CVE-2024-3606 – ProfileGrid – User Profiles, Memberships, Groups and Communities <= 5.8.3 - Missing Authorization

https://notcve.org/view.php?id=CVE-2024-3606

The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments. El complemento ProfileGrid – User Profiles, Memberships, Groups and Communities para WordPress es vulnerable a la eliminación no autorizada de datos debido a una falta de verificación de capacidad en la función pm_upload_cover_image en todas las versiones hasta la 5.8.3 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, eliminen archivos adjuntos. • https://plugins.trac.wordpress.org/changeset/3069928/profilegrid-user-profiles-groups-and-communities/trunk?contextall=1&old=3068943&old_path=%2Fprofilegrid-user-profiles-groups-and-communities%2Ftrunk https://www.wordfence.com/threat-intel/vulnerabilities/id/c039d2fe-7518-4724-a025-6380a53fb58c?source=cve • CWE-862: Missing Authorization •