Skip to main content

Profilegrid User Profiles Groups And Communities

2 CVEs product

Monthly

CVE-2026-12073 CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation Profilegrid User Profiles Groups And Communities
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-4610 MEDIUM This Month

Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.

XSS WordPress Profilegrid User Profiles Groups And Communities
NVD
CVSS 3.1
6.4
EPSS
0.2%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.

XSS WordPress Profilegrid User Profiles Groups And Communities
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy