WordPress Plugin Vulnerabilities

ProfileGrid < 5.9.5.2 - Missing Authorization

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.9.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 5.9.5.2

References

CVE
CVE-2025-48079
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/21ca7d14-a6b1-4d02-81c7-bfc5623c4818

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
def64b73-7523-4566-a00e-afaf14bf93bd

Timeline

Publicly Published
2025-05-16 (about 11 months ago)
Added
2025-05-20 (about 11 months ago)
Last Updated
2025-05-20 (about 11 months ago)

Other

Published
Title
Published
2023-11-06
Title
WordPress Backup & Migration < 1.4.4 - Subscriber+ Plugin Settings Update
Published
2025-01-07
Title
Post SMTP < 2.9.12 - Missing Authorization via regenerate_qrcode()
Published
2024-10-28
Title
Masteriyo LMS < 1.13.4 - Subscriber+ Privilege Escalation
Published
2025-01-15
Title
Booking and Rental Manager for Bike < 2.2.2 - Missing Authorization
Published
2026-02-22
Title
WPC Product Bundles for WooCommerce < 8.4.6 - Missing Authorization