CVE-2024-5453 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, developed by metagauss. The issue stems from the absence of proper capability checks in two key functions: pm_dismissible_notice and pm_wizard_update_group_icon. These functions fail to verify whether the authenticated user has the necessary permissions before allowing changes to plugin options or group icons. As a result, any authenticated user with at least Subscriber-level access can exploit this flaw to arbitrarily set certain options to the value '1' or alter group icons, potentially leading to unauthorized modifications of site appearance or behavior related to user groups and profiles. The vulnerability affects all versions up to and including 5.8.6 of the plugin. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with an attack vector over the network, low attack complexity, requiring privileges, no user interaction, and impacting integrity but not confidentiality or availability. No patches or fixes have been linked yet, and no known exploits are reported in the wild, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple user roles and community features.

The primary impact of CVE-2024-5453 is unauthorized integrity modification within affected WordPress sites. Attackers with Subscriber-level access or higher can change plugin options and group icons without proper authorization, potentially leading to misleading or maliciously altered user group representations and site configurations. While this does not directly compromise confidential data or site availability, it undermines trust in the site's user community features and can facilitate further social engineering or privilege escalation attempts. For organizations relying on ProfileGrid for managing user profiles and groups, this could disrupt community management, degrade user experience, and open avenues for additional attacks leveraging altered group settings. The vulnerability's ease of exploitation by low-privilege authenticated users increases its risk, especially on sites with large user bases or where Subscribers are common. Although no exploits are known in the wild, the vulnerability should be considered a moderate threat to integrity and site governance.

To mitigate CVE-2024-5453, organizations should first check for and apply any official patches or updates from metagauss once released. Until a patch is available, administrators should restrict Subscriber-level user capabilities to the minimum necessary, potentially disabling or limiting access to the ProfileGrid plugin features for low-privilege users. Implementing additional access control plugins or custom code to enforce capability checks on the vulnerable functions can help prevent unauthorized modifications. Monitoring plugin option changes and group icon updates through logging or alerting mechanisms can detect exploitation attempts early. Regularly auditing user roles and permissions, especially for Subscriber accounts, will reduce the attack surface. Additionally, consider isolating community management functions to trusted user roles only and educating users about the risks of unauthorized changes. Finally, maintain up-to-date backups to recover quickly if unauthorized modifications occur.