Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network registration request with no user interaction yields admin takeover, so AV:N/AC:L/PR:N/UI:N and full C/I/A impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a user_login on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account.
Articles & Coverage 2
AnalysisAI
Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a user_login value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The site must run the ProfileGrid plugin (≤ 5.9.9.5) with a reachable front-end registration form that does not include the `user_login` parameter - that specific form configuration is the triggering condition named in the description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point the same direction for ease of exploitation: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) describes a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, with full C/I/A impact (9.8 critical). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates a WordPress site running ProfileGrid and submits a crafted registration request to a form that omits the `user_login` parameter, abusing the unvalidated input and mishandled error path to overwrite the email address of the user with ID=1 (the admin). The attacker then requests a WordPress password reset, receives the reset link at their attacker-controlled email, and logs in as administrator - all without authentication or user interaction. … |
| Remediation | Upstream fix available (changeset/commit); released patched version not independently confirmed from the provided data - the fix is committed at https://plugins.trac.wordpress.org/changeset/3578435/, so update ProfileGrid to the first release published after 5.9.9.5 (verify the exact patched version in the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Deactivate ProfileGrid plugin immediately; audit administrator account (user ID 1) for unauthorized email changes, password resets, or suspicious access activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40254
GHSA-5949-6pq3-mp7g