Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS still requires a victim to load the injected page (UI:R); Subscriber-level auth gates injection (PR:L); scope change reflects WordPress cross-context impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5.
AnalysisAI
Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the pm_author_message parameter in the private messaging function pm_send_message_to_author. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a Subscriber-level WordPress account on the target site, meaning open user registration must be enabled or the attacker must possess a low-privilege credential obtained by other means. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-provided CVSS 6.4 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) highlights several meaningful signals: the attack is network-reachable with low complexity, requires only Subscriber-level credentials (a low but non-zero barrier), and carries a changed scope that signals the potential for cross-context impact such as WordPress admin session hijacking. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a WordPress site with ProfileGrid installed and open user registration enabled, then sends a private message to an author containing a crafted XSS payload in the message body field. When an administrator or any authenticated user subsequently views the message thread or an affected page, the stored script silently executes in their browser - enabling the attacker to steal the victim's session cookie, capture credentials, or issue authenticated WordPress API requests to create a rogue admin account. |
| Remediation | Update the ProfileGrid plugin to a version beyond 5.9.9.2 that fully addresses this vulnerability; the patch changeset is documented at https://plugins.trac.wordpress.org/changeset/3538301/ and should be cross-referenced against the installed version to confirm full remediation - the partial fix in 5.9.8.5 is explicitly insufficient per the CVE description. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38447
GHSA-377q-j2cj-r6x8