ProfileGrid
Moderate fix1 remedy
cpe:2.3:a:profilegrid:profilegrid:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.9.8.4
ProfileGrid WordPress Plugin Authorization Bypass Vulnerability in Group Settings Modification
Vulnerability
Patched
A vulnerability allowing authorization bypass has been identified in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress, affecting all versions through 5.9.8.4. The issue arises because the plugin fails to properly verify user authorization for certain actions via AJAX. This flaw enables authenticated attackers with Subscriber-level access and above to alter site-wide ProfileGrid group settings, including menu order, list order, icon display, and field ordering.
Impact
Exploitation of this vulnerability allows for unauthorized modification of group settings, which could disrupt the organization and management of user groups within the WordPress site.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site using the pm_set_group_order, pm_set_group_items, or pm_set_field_order AJAX actions. These actions can be used to modify group settings without proper authorization, such as changing the order of groups in the menu or list, altering group icons, or rearranging field orders.
Remediation
Users are advised to update the ProfileGrid – User Profiles, Groups and Communities plugin to version 5.9.8.5 or a newer patched version.
Added: May 13, 2026, 4:04 PM
Updated: May 13, 2026, 4:04 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.4remediation
7.7relevance
8.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.