Volerion logoVolerion
Volerion logoVolerion

ProfileGrid User Profiles, Groups and Communities Reflected Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, affecting all versions through 5.9.5.4. The issue arises in the 'pm_get_messenger_notification' function, where inadequate input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts. These scripts can be executed if a logged-in user is tricked into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an attacker must craft a link that exploits the 'pm_get_messenger_notification' function. This link should include a payload that injects a script, taking advantage of the lack of proper input validation and output escaping. Once the link is clicked by a logged-in user, the injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the ProfileGrid – User Profiles, Groups and Communities plugin to version 5.9.5.5 or later.

Added: Sep 1, 2025, 7:22 PM
Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.7
exploitability
7.6
remediation
7.7
relevance
0.3
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.