CVE-2023-3404 MEDIUM

CVE-2023-3404: ProfileGrid <= 5.5.0 - Hardcoded Encryption Key

Vendor Metagauss
Product ProfileGrid – User Profiles, Groups and Communities
Weakness CWE-321
Published August 31, 2023
Last update April 8, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords.

Key dates

02Disclosure timeline

August 31, 2023 CVE published
April 8, 2026 Record updated