Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 54 known issues Latest disclosed Jun 29, 2026

ProfileGrid – User Profiles, Groups and Communities Vulnerabilities

Q: Which ProfileGrid – User Profiles, Groups and Communities CVEs are tracked?

ProfileGrid – User Profiles, Groups and Communities tracked CVEs include CVE-2024-30490, CVE-2024-30491, CVE-2026-12073, CVE-2025-0724, and CVE-2025-26999.

Q: How many ProfileGrid – User Profiles, Groups and Communities vulnerabilities have patch guidance?

54 of 54 tracked ProfileGrid – User Profiles, Groups and Communities records include a published patch path.

Review known vulnerability records for the WordPress plugin ProfileGrid – User Profiles, Groups and Communities (`profilegrid-user-profiles-groups-and-communities`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-12073, CVE-2026-4610 and CVE-2026-4607, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Jun 29, 2026

Related Security Guides

Use these guides while reviewing ProfileGrid – User Profiles, Groups and Communities fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize ProfileGrid – User Profiles, Groups and Communities remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is profilegrid-user-profiles-groups-and-communities before acting on any CVE from this cluster.

2. Sort by Severity

Start with 11 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

54 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2024-30490 Critical

SQL Injection remediation for ProfileGrid – User Profiles, Groups and Communities

Affected range: Versions up to 5.7.8. Fixed version: 5.7.9.

CVE-2024-30491 Critical

SQL Injection remediation for ProfileGrid – User Profiles, Groups and Communities

Affected range: Versions up to 5.7.8. Fixed version: 5.7.9.

CVE-2026-12073 Critical

Authorization Bypass remediation for ProfileGrid – User Profiles, Groups and Communities

Affected range: Versions up to 5.9.9.5. Fixed version: 5.9.9.6.

CVE-2025-0724 High

Vulnerability remediation for ProfileGrid – User Profiles, Groups and Communities

Affected range: Versions up to 5.9.4.5. Fixed version: 5.9.4.6.

Priority CVE Quick Links

Fast paths into ProfileGrid – User Profiles, Groups and Communities CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2024-30490 ProfileGrid <= 5.7.8 - Unauthenticated SQL Injection	SQL Injection	Versions up to 5.7.8	5.7.9	CVSS 10.0
CVE-2024-30491 ProfileGrid <= 5.7.8 - Authenticated (Subscriber+) SQL Injection	SQL Injection	Versions up to 5.7.8	5.7.9	CVSS 9.9
CVE-2026-12073 ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Pri...	Authorization Bypass	Versions up to 5.9.9.5	5.9.9.6	CVSS 9.8
CVE-2025-0724 ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.5 - Authenticated (Subs...	Vulnerability	Versions up to 5.9.4.5	5.9.4.6	CVSS 8.8
CVE-2025-26999 ProfileGrid <= 5.9.4.3 - Authenticated (Subscriber+) PHP Object Injection	Vulnerability	Versions up to 5.9.4.3	5.9.4.4	CVSS 8.8
CVE-2024-6411 ProfileGrid – User Profiles, Groups and Communities <= 5.8.9 - Authenticated (Subscr...	Authorization Bypass	Versions up to 5.8.9	5.9.0	CVSS 8.8
CVE-2023-3713 ProfileGrid <= 5.5.1 - Authenticated (Subscriber+) Arbitrary Option Update	Privilege Escalation	Versions up to 5.5.1	5.5.2	CVSS 8.8
CVE-2023-0940 ProfileGrid <= 5.3.0 - Missing Authorization to Arbitrary Password Reset	Authorization Bypass	Versions up to 5.3.0	5.3.1	CVSS 8.8

CVE-2024-30490 Critical 5.7.9

CVE-2024-30490 ProfileGrid – User Profiles, Groups and Communities SQL Injection

ProfileGrid <= 5.7.8 - Unauthenticated SQL Injection

CVE-2024-30491 Critical 5.7.9

CVE-2024-30491 ProfileGrid – User Profiles, Groups and Communities SQL Injection

ProfileGrid <= 5.7.8 - Authenticated (Subscriber+) SQL Injection

CVE-2026-12073 Critical 5.9.9.6

CVE-2026-12073 ProfileGrid – User Profiles, Groups and Communities Authorization Bypass

ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite

CVE-2025-0724 High 5.9.4.6

CVE-2025-0724 ProfileGrid – User Profiles, Groups and Communities Vulnerability

ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.5 - Authenticated (Subscriber+) PHP Object Injection

CVE-2025-26999 High 5.9.4.4

CVE-2025-26999 ProfileGrid – User Profiles, Groups and Communities Vulnerability

ProfileGrid <= 5.9.4.3 - Authenticated (Subscriber+) PHP Object Injection

CVE-2024-6411 High 5.9.0

CVE-2024-6411 ProfileGrid – User Profiles, Groups and Communities Authorization Bypass

ProfileGrid – User Profiles, Groups and Communities <= 5.8.9 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation

CVE-2023-3713 High 5.5.2

CVE-2023-3713 ProfileGrid – User Profiles, Groups and Communities Privilege Escalation

ProfileGrid <= 5.5.1 - Authenticated (Subscriber+) Arbitrary Option Update

CVE-2023-0940 High 5.3.1

CVE-2023-0940 ProfileGrid – User Profiles, Groups and Communities Authorization Bypass

ProfileGrid <= 5.3.0 - Missing Authorization to Arbitrary Password Reset

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for ProfileGrid – User Profiles, Groups and Communities so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

54 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

3 critical and 8 high severity findings.

Recent CVEs

CVE-2026-12073, CVE-2026-4610 and CVE-2026-4607

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-12073 Critical Patch path listed

CVE-2026-12073: ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is...

Published

Jun 29, 2026

Patch Status

5.9.9.6

Review CVE-2026-12073 affected versions

CVE-2026-4610 Medium Patch path listed

CVE-2026-4610: ProfileGrid <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Message Content

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_auth...

Published

Jun 22, 2026

Patch Status

5.9.9.3

Review CVE-2026-4610 affected versions

CVE-2026-4607 Medium Patch path listed

CVE-2026-4607: ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Settings Modification

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin no...

Published

May 12, 2026

Patch Status

5.9.8.5

Review CVE-2026-4607 affected versions

Known Vulnerabilities

Reports for ProfileGrid – User Profiles, Groups and Communities

Sorted by latest disclosure date so newly published issues surface first.

Plugin Critical Patched: Yes CVE-2026-12073

CVE-2026-12073: ProfileGrid - User Profiles, Groups and Communities <= 5.9.9.5 - Unauthenticated Privilege Escalation via Email Overwrite

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don't contain...

Published

Jun 29, 2026

Patched Release

5.9.9.6

Affected Versions

Versions up to 5.9.9.5

Next Step

Update to 5.9.9.6 or newer if supported.

Review CVE-2026-12073 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-4610

CVE-2026-4610: ProfileGrid <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Message Content

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input saniti...

Published

Jun 22, 2026

Patched Release

5.9.9.3

Affected Versions

Versions up to 5.9.9.2

Next Step

Update to 5.9.9.3 or newer if supported.

Review CVE-2026-4610 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-4607

CVE-2026-4607: ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Settings Modification

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properly verifying that a user is authorized to perform an action via the pm_set_group_o...

Published

May 12, 2026

Patched Release

5.9.8.5

Affected Versions

Versions up to 5.9.8.4

Next Step

Update to 5.9.8.5 or newer if supported.

Review CVE-2026-4607 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-4608

CVE-2026-4608: ProfileGrid <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection via 'rid' Parameter

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

Published

May 12, 2026

Patched Release

5.9.8.5

Affected Versions

Versions up to 5.9.8.4

Next Step

Update to 5.9.8.5 or newer if supported.

Review CVE-2026-4608 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-4609

CVE-2026-4609: ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user function in all versions up to, and including, 5.9.8.4. This makes it possible for authenticated attackers, wi...

Published

May 12, 2026

Patched Release

5.9.8.5

Affected Versions

Versions up to 5.9.8.4

Next Step

Update to 5.9.8.5 or newer if supported.

Review CVE-2026-4609 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-25417

CVE-2026-25417: ProfileGrid – User Profiles, Groups and Communities <= 5.9.8.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.9.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Published

Mar 23, 2026

Patched Release

5.9.8.2

Affected Versions

Versions up to 5.9.8.1

Next Step

Update to 5.9.8.2 or newer if supported.

Review CVE-2026-25417 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-2488

CVE-2026-2488: ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying t...

Published

Mar 06, 2026

Patched Release

5.9.8.2

Affected Versions

Versions up to 5.9.8.1

Next Step

Update to 5.9.8.2 or newer if supported.

Review CVE-2026-2488 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-2494

CVE-2026-2494: ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions)....

Published

Mar 06, 2026

Patched Release

5.9.8.3

Affected Versions

Versions up to 5.9.8.2

Next Step

Update to 5.9.8.3 or newer if supported.

Review CVE-2026-2494 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-1271

CVE-2026-1271: ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() f...

Published

Feb 04, 2026

Patched Release

5.9.7.3

Affected Versions

Versions up to 5.9.7.2

Next Step

Update to 5.9.7.3 or newer if supported.

Review CVE-2026-1271 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-13416

CVE-2025-13416: ProfileGrid – User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for a...

Published

Feb 04, 2026

Patched Release

5.9.7.3

Affected Versions

Versions up to 5.9.7.2

Next Step

Update to 5.9.7.3 or newer if supported.

Review CVE-2025-13416 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-4957

CVE-2025-4957: ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.7 - Reflected Cross-Site Scripting

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 5.9.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attack...

Published

Sep 01, 2025

Patched Release

5.9.5.8

Affected Versions

Versions up to 5.9.5.7

Next Step

Update to 5.9.5.8 or newer if supported.

Review CVE-2025-4957 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-49033

CVE-2025-49033: ProfileGrid <= 5.9.5.3 - Authenticated (Subscriber+) SQL Injection

The ProfileGrid plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.9.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacke...

Published

Jul 24, 2025

Patched Release

5.9.5.4

Affected Versions

Versions up to 5.9.5.3

Next Step

Update to 5.9.5.4 or newer if supported.

Review CVE-2025-49033 fixed version details Open CVE Reference