cleantalk
Vulnerabilities and Security Researches

ProfileGrid – User Profiles, Memberships, Groups and Communities, CVE-2023-3404

CVE, Research URL

CVE-2023-3404

Home page URL

Security reports for ProfileGrid – User Profiles, Memberships, Groups and Communities

Application

ProfileGrid – User Profiles, Memberships, Groups and Communities

Published on
Aug 31, 2023
Research Description
The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords.
Affected versions
Min -, max 5.5.1.
Status
vulnerable
Previous vulnerability researches
ProfileGrid – User Profiles, Memberships, Groups and Communities (CVE-2025-39586) , Apr 19, 2025
ProfileGrid – User Profiles, Memberships, Groups and Communities (CVE-2025-26999) , Mar 05, 2025
ProfileGrid – User Profiles, Memberships, Groups and Communities (CVE-2024-8861) , Sep 28, 2024
ProfileGrid – User Profiles, Memberships, Groups and Communities (CVE-2024-13740) , Feb 19, 2025
ProfileGrid – User Profiles, Memberships, Groups and Communities (CVE-2025-0724) , Mar 23, 2025
New vulnerability
WordPress Job Board and Recruitment Plugin – JobWP (CVE-2025-2010) , Apr 20, 2025
WP Logger (CVE-2025-39456) , Apr 20, 2025
visualslider Sldier (CVE-2025-23448) , Apr 20, 2025
RSS Manager (CVE-2025-39418) , Apr 20, 2025
Contact Form vCard Generator (CVE-2025-39521) , Apr 20, 2025