← back to popular plugins
wordfence / plugin · profilegrid-user-profiles-groups-and-communities

ProfileGrid – User Profiles, Groups and Communities

profilegrid-user-profiles-groups-and-communities
total installs
6,000
total vulns
21
critical
0
high
3
medium
18
low
0
latest vuln
patched
21
unpatched
0
avg time to patch
vulnerabilities (21)
ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Settings Modification
medium ✓ patched
cve id CVE-2026-4607 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published May 12, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properly verifying that a user is authorized to perform an action via the pm_set_group_order, pm_set_group_items, and pm_set_field_order AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify site-wide ProfileGrid group settings including group menu order, group list order, group icon display, and field ordering.
ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining
high ✓ patched
cve id CVE-2026-4609 ↗
cvss score 7.1
cwe CWE-862: Missing Authorization
published May 12, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user function in all versions up to, and including, 5.9.8.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add themselves or any registered user to any ProfileGrid group, including closed and paid groups, bypassing all authorization and payment gates.
ProfileGrid <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection via 'rid' Parameter
medium ✓ patched
cve id CVE-2026-4608 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published May 12, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
ProfileGrid – User Profiles, Groups and Communities <= 5.9.8.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2026-25417 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Mar 23, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.9.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion
medium ✓ patched
cve id CVE-2026-2488 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Mar 6, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter).
ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial
medium ✓ patched
cve id CVE-2026-2494 ↗
cvss score 4.3
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Mar 6, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification
medium ✓ patched
cve id CVE-2026-1271 ↗
cvss score 5.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Feb 4, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators.
ProfileGrid – User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension
medium ✓ patched
cve id CVE-2025-13416 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Feb 4, 2026
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.
ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.7 - Reflected Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-4957 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Sep 1, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 5.9.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
ProfileGrid <= 5.9.5.3 - Authenticated (Subscriber+) SQL Injection
medium ✓ patched
cve id CVE-2025-49033 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Jul 24, 2025
The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.9.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.4 - Reflected Cross-Site Scripting via 'pm_get_messenger_notification' function
medium ✓ patched
cve id CVE-2025-6977 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jul 15, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pm_get_messenger_notification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link.
ProfileGrid <= 5.9.5.2 - Authenticated (Subscriber+) SQL Injection
medium ✓ patched
cve id CVE-2025-49876 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Jul 10, 2025
The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.9.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
ProfileGrid <= 5.9.5.2 - Authenticated (Subscriber+) Full Path Disclosure
medium ✓ patched
cve id CVE-2025-52719 ↗
cvss score 4.3
cwe CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
published Jun 19, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.9.5.2. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
ProfileGrid <= 5.9.5.2 - Authenticated (Subscriber+) Server-Side Request Forgery
medium ✓ patched
cve id CVE-2025-49877 ↗
cvss score 6.4
cwe CWE-918: Server-Side Request Forgery (SSRF)
published Jun 12, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.9.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
ProfileGrid <= 5.9.5.1 - Missing Authorization
medium ✓ patched
cve id CVE-2025-48079 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published May 16, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.9.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
ProfileGrid <= 5.9.5.0 - Authenticated (Subscriber+) SQL Injection
medium ✓ patched
cve id CVE-2025-47478 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published May 12, 2025
The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.9.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
ProfileGrid <= 5.9.4.8 - Authenticated (Subscriber+) SQL Injection
medium ✓ patched
cve id CVE-2025-39586 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Apr 17, 2025
The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.9.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.5 - Authenticated (Subscriber+) PHP Object Injection
high ✓ patched
cve id CVE-2025-0724 ↗
cvss score 8.8
cwe CWE-502: Deserialization of Untrusted Data
published Mar 21, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.4.5 via deserialization of untrusted input in the get_user_meta_fields_html function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.4 - Missing Authorinzation to Authenticated (Subscriber+) Join Group Requests Management
medium ✓ patched
cve id CVE-2025-1408 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Mar 21, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request functions in all versions up to, and including, 5.9.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to approve or decline join group requests which is normally should be available to administrators only.
ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.7 - Authenticated (Subscriber+) SQL Injection
medium ✓ patched
cve id CVE-2025-0723 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Mar 21, 2025
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind and time-based SQL Injections via the rid and search parameters in all versions up to, and including, 5.9.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
ProfileGrid <= 5.9.4.3 - Authenticated (Subscriber+) PHP Object Injection
high ✓ patched
cve id CVE-2025-26999 ↗
cvss score 8.8
cwe CWE-502: Deserialization of Untrusted Data
published Feb 23, 2025
The ProfileGrid plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.9.4.3 via deserialization of untrusted input. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.