Lifecycle Timeline
2DescriptionNVD
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.5.2.
AnalysisAI
SQL injection vulnerability in ProfileGrid WordPress plugin versions through 5.9.5.2 allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability affects a widely-deployed WordPress community plugin with no active public exploitation confirmed at analysis time, but the low EPSS score (0.05th percentile) does not diminish the critical nature of SQL injection in production environments.
Technical ContextAI
This SQL injection vulnerability (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) stems from inadequate input sanitization or parameterized query implementation in the ProfileGrid plugin's database interaction layer. The plugin, which manages user profiles, groups, and communities on WordPress sites, fails to properly escape or bind user-supplied input before constructing SQL queries. Attackers can inject malicious SQL syntax through request parameters to manipulate query logic, bypass authentication checks, or exfiltrate sensitive data from the WordPress database. WordPress plugins are often targeted due to their broad deployment across millions of sites and the plugin's direct database access via the WordPress query functions (wpdb).
Affected ProductsAI
ProfileGrid (profilegrid-user-profiles-groups-and-communities) WordPress plugin is affected in all versions from release through version 5.9.5.2 inclusive. The plugin is deployed as a standard WordPress plugin installable via wordpress.org. No CPE string is provided in the source data, but the affected software can be identified via WordPress plugin directory as 'profilegrid-user-profiles-groups-and-communities'. For detailed vendor information and advisory, see the Patchstack vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-5-9-5-2-sql-injection-vulnerability?_s_id=cve
RemediationAI
Update ProfileGrid to the patched version immediately. Based on the Patchstack advisory and standard vulnerability disclosure practices, a patched version above 5.9.5.2 has been released by the plugin developers; verify and upgrade to the latest available version via the WordPress admin dashboard (Plugins → Updates) or manually download from wordpress.org. If immediate patching is not feasible, disable the plugin until a patch can be applied, as SQL injection in active plugins presents unacceptable database exposure. No known workaround mitigates SQL injection without patching; disabling the vulnerable plugin is the only temporary mitigation. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-5-9-5-2-sql-injection-vulnerability?_s_id=cve) for exact patched version numbers and confirmation of fix deployment.
Share
External POC / Exploit Code
Leaving vuln.today