CVE-2023-3404

Name of the Vulnerable Software and Affected Versions ProfileGrid plugin for WordPress versions up to, and including, 5.5.0

Description The issue allows unauthorized decryption of private information. This is due to the passphrase and iv being hardcoded in the pm encrypt decrypt pass function, making it possible for authenticated attackers with administrator-level permissions or above to decrypt and view users' passwords. If combined with another issue, this can potentially grant lower-privileged users access to users' passwords.

Recommendations For ProfileGrid plugin for WordPress versions up to, and including, 5.5.0: Update to a version higher than 5.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the pm encrypt decrypt pass function until a patch is available.