CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress

2016-11-28 21:18
Written by

This issue affects your site if it is hosted on WordPress, and you use ACLs to restrict access to contact data.

It was identified that CiviCRM on WordPress CMS did not correctly trigger ACL checks when viewing CiviCRM profile URLs via checksum. This might lead sites to disclose some contact data via profile pages.

Security Risk
Moderately Critical
Access Bypass
Affected Versions


  • 4.7.13
  • 4.6.23
Fixed Versions
  • 4.7.14
  • 4.6.24

Upgrade to the latest CiviCRM release.

If you cannot upgrade to the latest CiviCRM version apply the patch here


Brian Shaughnessy for reporting the issue and providing a fix