What is CVE-2023-3404?

CVE-2023-3404 is a vulnerability in the ProfileGrid plugin for WordPress that allows unauthorized decryption of private information.

What is the severity of CVE-2023-3404?

The severity of CVE-2023-3404 is medium with a severity value of 4.9.

Which version of the ProfileGrid plugin for WordPress is affected?

Versions up to and including 5.5.0 of the ProfileGrid plugin for WordPress are affected.

How does CVE-2023-3404 work?

CVE-2023-3404 works by using hardcoded passphrase and iv in the 'pm_encrypt_decrypt_pass' function, which can be exploited to decrypt private information.

How can I fix CVE-2023-3404?

To fix CVE-2023-3404, update the ProfileGrid plugin to a version higher than 5.5.0.

Vulnerability/
CVE-2023-3404

medium

4.9

CWE

321

31/8/2023

2/8/2024

CVE-2023-3404

First published: Thu Aug 31 2023(Updated: )

The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords.

Credit: security@wordfence.com security@wordfence.com

Affected Software	Affected Version	How to fix
Metagauss Profilegrid	<=5.5.0

Remedy

https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.4.8/includes/class-profile-magic-request.php#L325

Remedy

https://plugins.trac.wordpress.org/changeset/2936383/profilegrid-user-profiles-groups-and-communities#file475

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-3404?
CVE-2023-3404 is a vulnerability in the ProfileGrid plugin for WordPress that allows unauthorized decryption of private information.
What is the severity of CVE-2023-3404?
The severity of CVE-2023-3404 is medium with a severity value of 4.9.
Which version of the ProfileGrid plugin for WordPress is affected?
Versions up to and including 5.5.0 of the ProfileGrid plugin for WordPress are affected.
How does CVE-2023-3404 work?
CVE-2023-3404 works by using hardcoded passphrase and iv in the 'pm_encrypt_decrypt_pass' function, which can be exploited to decrypt private information.
How can I fix CVE-2023-3404?
To fix CVE-2023-3404, update the ProfileGrid plugin to a version higher than 5.5.0.

collector/nvd-api
collector/nvd-index
agent/references
agent/severity
agent/weakness
agent/author
agent/type
agent/event
agent/description
agent/remedy
agent/softwarecombine
agent/last-modified-date
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/metagauss
canonical/metagauss profilegrid
version/metagauss profilegrid/5.5.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.