ProfileGrid
Moderate fix1 remedy
cpe:2.3:a:profilegrid:profilegrid:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.9.8.4
ProfileGrid SQL Injection Vulnerability in WordPress
Vulnerability
Patched
A blind SQL injection vulnerability has been identified in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. This issue affects all versions through 5.9.8.4 and arises from inadequate escaping of user-supplied data in the 'rid' parameter, coupled with a lack of proper preparation in the SQL query. As a result, authenticated attackers with Subscriber-level access or higher can manipulate existing SQL queries to extract sensitive information from the database.
Impact
Exploitation of this vulnerability allows for blind SQL injection, where an attacker can interfere with the database queries of the application. This could lead to unauthorized data access or manipulation, such as extracting sensitive information from the database.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request with a crafted 'rid' parameter. The insufficient input sanitization will allow the injection of additional SQL commands, which can be used to extract data from the database.
Remediation
Users are advised to update the ProfileGrid – User Profiles, Groups and Communities plugin to version 5.9.8.5 or later.
Added: May 13, 2026, 4:02 PM
Updated: May 13, 2026, 4:02 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
2.5exploitability
6.4remediation
7.7relevance
8.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.