What is the CVSS score of CVE-2025-26999?

CVE-2025-26999 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of ProfileGrid are affected by CVE-2025-26999?

ProfileGrid WordPress plugin versions up to 5.9.4.3 contain a critical object injection vulnerability allowing authenticated users to execute arbitrary code and compromise the entire WordPress site.

How to fix or mitigate CVE-2025-26999?

Within 24 hours: Identify all WordPress sites running ProfileGrid plugin versions ≤5.9.4.3 and document current user accounts with authenticated access. Within 7 days: Restrict non-administrative user registration and authentication on affected sites; reduce active user accounts to administrators only if operationally feasible; implement Web Application Firewall (WAF) rules to monitor for deserialization attack patterns targeting ProfileGrid. Within 30 days: Monitor Patchstack and ProfileGrid vendor channels for patch release; plan immediate upgrade to patched version upon availability; conduct security audit of user accounts and site activity logs for indicators of compromise.

ProfileGrid CVE-2025-26999

HIGH

Deserialization of Untrusted Data (CWE-502)

2025-03-03 audit@patchstack.com

Deserialization

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 25, 2026 - 00:56 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:42 vuln.today

cvss_changed

Analysis Generated

Mar 28, 2026 - 18:29 vuln.today

CVE Published

Mar 03, 2025 - 14:15 nvd

HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Metagauss ProfileGrid allows Object Injection. This issue affects ProfileGrid : from n/a through 5.9.4.3.

AnalysisAI

PHP object injection in ProfileGrid WordPress plugin versions up to 5.9.4.3 allows authenticated attackers to execute arbitrary code through unsafe deserialization of user-controlled data. With CVSS 8.8 severity and only low-privilege authentication required, this CWE-502 vulnerability enables full site compromise. EPSS exploitation probability is low (0.23%, 45th percentile) and no active exploitation or public POC is confirmed, though Patchstack has documented the vulnerability in their WordPress plugin security database.

Technical ContextAI

This is a PHP object injection vulnerability (CWE-502: Deserialization of Untrusted Data) affecting the ProfileGrid WordPress plugin, a community management and user profile platform. PHP object injection occurs when untrusted serialized data is passed to the unserialize() function without proper validation. Attackers can craft malicious serialized objects that, when deserialized, trigger magic methods like __wakeup() or __destruct() in existing classes to execute arbitrary code. ProfileGrid likely deserializes user-supplied data (POST parameters, cookies, or database values) in its user profile or group management functionality without validating object types or sanitizing input. The vulnerability affects all versions through 5.9.4.3, indicating a longstanding architectural flaw in how the plugin handles serialized data structures for profile fields, group settings, or user metadata.

Affected ProductsAI

WordPress plugin ProfileGrid (User Profiles, Groups and Communities) versions from earliest release through 5.9.4.3 are affected. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-plugin-5-9-4-3-php-object-injection-vulnerability confirms the vulnerability scope. The plugin is available through the official WordPress plugin repository and is used for building community sites with user profiles, groups, and member directories.

RemediationAI

Upgrade ProfileGrid to version 5.9.4.4 or later if available, as the advisory indicates 5.9.4.3 is the last vulnerable version. Check the official WordPress plugin repository or Metagauss vendor site for the latest patched release. The Patchstack reference at https://patchstack.com/database/wordpress/plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-plugin-5-9-4-3-php-object-injection-vulnerability should be monitored for patch confirmation and additional remediation guidance. If immediate patching is not feasible, implement these compensating controls: disable user registration to prevent attackers from obtaining low-privilege accounts (reduces attack surface but breaks legitimate community functionality), restrict ProfileGrid features to trusted administrator accounts only via WordPress role management (severely limits plugin utility), and implement web application firewall (WAF) rules to detect and block serialized PHP objects in POST parameters and cookies targeting ProfileGrid endpoints (may cause false positives with legitimate profile updates). Monitor PHP error logs and WordPress activity logs for unserialize() calls with unexpected object types or failed deserialization attempts as potential exploitation indicators.

CVE-2025-26999 vulnerability details – vuln.today

Back

ProfileGrid CVE-2025-26999

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code