High severity8.8NVD Advisory· Published Jul 10, 2024· Updated Apr 8, 2026
CVE-2024-6411
CVE-2024-6411
Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.8.9. This is due to a lack of validation on user-supplied data in the 'pm_upload_image' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their user capabilities to Administrator.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/changeset/3111609/nvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/2ef3c7fb-27f5-4829-8cb6-d3a52778a689nvdThird Party Advisory
- plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.jsnvdProduct
- plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.jsnvdProduct
- plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.phpnvdProduct
- plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.phpnvdProduct
News mentions
0No linked articles in our index yet.