CVE-2024-6410

Name of the Vulnerable Software and Affected Versions The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.8.9

Description The issue is related to Insecure Direct Object Reference. It affects the pm upload image function due to missing validation on a user-controlled key. This allows authenticated attackers with Subscriber-level access and above to change the profile picture of any user.

Recommendations For versions up to, and including, 5.8.9, consider disabling the pm upload image function until a patch is available to prevent exploitation. Restrict access to profile picture modification features to minimize the risk of unauthorized changes.