CVE-2023-0940

Name of the Vulnerable Software and Affected Versions ProfileGrid WordPress plugin versions prior to 5.3.1

Description The issue arises from an AJAX endpoint for resetting user passwords that lacks proper authorization. This allows users with low privileges, such as subscribers, to change the password of any account, including those of administrators.

Recommendations For versions prior to 5.3.1, update to version 5.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX endpoint for password reset until the update is applied.