WordPress Plugin Vulnerabilities

ProfileGrid < 5.9.8.3 - Cross-Site Request Forgery to Group Membership Request Approval/Denial

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 5.9.8.3

References

CVE
CVE-2026-2494
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8ffdb9-b8c6-428c-a047-8e5286b2c2fb

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Sergej Ljubojevic, Boris Bogosavac
Verified
No
WPVDB ID
eb02e748-9a76-45fe-bebe-66308694e5e1

Timeline

Publicly Published
2026-03-06 (about 2 months ago)
Added
2026-03-06 (about 2 months ago)
Last Updated
2026-03-07 (about 2 months ago)

Other

Published
Title
Published
2025-03-31
Title
Useinfluence <= 1.0.8 - Cross-Site Request Forgery
Published
2025-04-01
Title
JSON Structuring Markup <= 0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-12-16
Title
Download Plugins and Themes from Dashboard < 1.9.7 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival
Published
2026-04-14
Title
Product Pricing Table by WooBeWoo < 1.1.1 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion
Published
2022-05-09
Title
Bulk Page Creator < 1.1.4 - Arbitrary Page Creation via CSRF