Primary

Context

ProfileGrid WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Private Messages Disclosure

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, affecting all versions through 5.9.4.2. The vulnerability arises in the pm_messenger_show_messages function, where insufficient validation on a user-controlled key allows authenticated attackers with Subscriber-level access and above to access and read private conversations of other users.

Impact

Exploitation of this vulnerability allows for unauthorized access to private messages between users, potentially leading to privacy violations and misuse of disclosed information.

Remediation

Users are advised to update the ProfileGrid – User Profiles, Groups and Communities plugin to version 5.9.4.3 or a newer patched version.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

5.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ProfileGrid WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Private Messages Disclosure

Vulnerability

Impact

Remediation

Affected Products

ProfileGrid

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating