CVE-2024-13740

Name of the Vulnerable Software and Affected Versions ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.4.2

Description The issue allows authenticated attackers with Subscriber-level access and above to read private conversations of other users due to missing validation on a user-controlled key in the pm messenger show messages function. This enables them to exploit the Insecure Direct Object Reference vulnerability.

Recommendations For versions up to, and including, 5.9.4.2, consider disabling the pm messenger show messages function as a temporary workaround until a patch is available. Restrict access to private conversations to minimize the risk of exploitation. Avoid using the vulnerable function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.