Critical Vulnerabilities Patched in ProfilePress Plugin

Earlier today, the Wordfence Threat Intelligence team announced numerous vulnerabilities that were fixed in ProfilePress, a widely used WordPress plugin.

Due to these vulnerabilities, attackers were able to upload arbitrary files to a vulnerable site and get administrative privileges even if registration was disabled.

The ProfilePress membership plugin (formerly known as WP User Avatar) is a powerful plugin that lets you install beautiful user profiles, member directories, and frontend forms for registration, login, and password changes. Additionally, it offers security and access control features. However, A handful of security problems have been introduced as a result of the new features.

This flaw is rated as ‘Critical‘ on Patchstack (Score: 9.8)

 ProfilePress Patchstack

The Wordfence team first contacted the plugin’s developer on May 27, 2021. And, On May 30, 2021, a patch was released as version 3.1.4.

Patches have been released for these critical security issues, which means if you are using an outdated version of the plugin (3.1 – 3.1.3), you should update to the latest patched version immediately.

Read more:

Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.