← Volver a CVEs
CVE-2023-3404
MEDIUM4.9
Descripcion
The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords.
Detalles CVE
Puntuacion CVSS v3.14.9
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosHIGH
Interaccion usuarioNONE
Publicado8/31/2023
Ultima modificacion4/8/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
metagauss:profilegrid
Debilidades (CWE)
CWE-321
Referencias
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.4.8/includes/class-profile-magic-request.php#L325(security@wordfence.com)
https://plugins.trac.wordpress.org/changeset/2936383/profilegrid-user-profiles-groups-and-communities#file475(security@wordfence.com)
https://www.wordfence.com/threat-intel/vulnerabilities/id/6d490bfb-6560-428e-ad91-0f8d8bc9b1f2?source=cve(security@wordfence.com)
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.4.8/includes/class-profile-magic-request.php#L325(af854a3a-2127-422b-91ae-364da2661108)
https://plugins.trac.wordpress.org/changeset/2936383/profilegrid-user-profiles-groups-and-communities#file475(af854a3a-2127-422b-91ae-364da2661108)
https://www.wordfence.com/threat-intel/vulnerabilities/id/6d490bfb-6560-428e-ad91-0f8d8bc9b1f2?source=cve(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.