Medium severity4.9NVD Advisory· Published Aug 31, 2023· Updated Apr 8, 2026

CVE-2023-3404

Description

The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords.

Affected products

Metagauss/Profilegrid
cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*
Range: <=5.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.4.8/includes/class-profile-magic-request.phpnvdPatch
plugins.trac.wordpress.org/changeset/2936383/profilegrid-user-profiles-groups-and-communitiesnvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/6d490bfb-6560-428e-ad91-0f8d8bc9b1f2nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000