CVE-2024-32772: 
WordPress vulnerability analysis and mitigation

The CVE-2024-32772 is an Authorization Bypass Through User-Controlled Key vulnerability affecting Metagauss ProfileGrid WordPress plugin versions through 5.7.9. The vulnerability was discovered by Kyle Sanchez and was publicly disclosed on April 22, 2024. This security issue affects the ProfileGrid – User Profiles, Memberships, Groups and Communities plugin, which is a WordPress extension for managing user profiles and communities (Patchstack, WPScan).

The vulnerability is classified as an Insecure Direct Object References (IDOR) issue, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). It has received varying CVSS severity scores, with NIST assigning a High severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), while Patchstack assessed it as Medium severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The vulnerability stems from missing validation on a user-controlled key (NVD).

The vulnerability could allow authenticated attackers with subscriber-level access and above to perform unauthorized actions. An insecure direct object reference vulnerability could potentially enable a malicious actor to bypass authorization, authentication, access sensitive files/folders, or interact with the database (Patchstack).

The vulnerability has been fixed in version 5.8.0 of the ProfileGrid plugin. Users are advised to update to version 5.8.0 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).