Skip to main content

ProfileGrid CVE-2026-4610

| EUVDEUVD-2026-38447 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-23 Wordfence GHSA-377q-j2cj-r6x8
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS still requires a victim to load the injected page (UI:R); Subscriber-level auth gates injection (PR:L); scope change reflects WordPress cross-context impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 23, 2026 - 13:13 vuln.today
CVE Published
Jun 23, 2026 - 12:32 cve.org
MEDIUM 6.4

DescriptionCVE.org

The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5.

AnalysisAI

Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the pm_author_message parameter in the private messaging function pm_send_message_to_author. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register Subscriber account on target WordPress site
Delivery
Craft XSS payload in pm_author_message field
Exploit
Submit message via pm_send_message_to_author
Install
Payload stored persistently in database
C2
Victim user or admin loads affected page
Execute
Injected script executes in victim browser
Impact
Steal session token or escalate to site administrator

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a Subscriber-level WordPress account on the target site, meaning open user registration must be enabled or the attacker must possess a low-privilege credential obtained by other means. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-provided CVSS 6.4 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) highlights several meaningful signals: the attack is network-reachable with low complexity, requires only Subscriber-level credentials (a low but non-zero barrier), and carries a changed scope that signals the potential for cross-context impact such as WordPress admin session hijacking. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a WordPress site with ProfileGrid installed and open user registration enabled, then sends a private message to an author containing a crafted XSS payload in the message body field. When an administrator or any authenticated user subsequently views the message thread or an affected page, the stored script silently executes in their browser - enabling the attacker to steal the victim's session cookie, capture credentials, or issue authenticated WordPress API requests to create a rogue admin account.
Remediation Update the ProfileGrid plugin to a version beyond 5.9.9.2 that fully addresses this vulnerability; the patch changeset is documented at https://plugins.trac.wordpress.org/changeset/3538301/ and should be cross-referenced against the installed version to confirm full remediation - the partial fix in 5.9.8.5 is explicitly insufficient per the CVE description. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4610 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy