WordPress Plugin Vulnerabilities

ProfileGrid < 5.9.5.3 - Authenticated (Subscriber+) Server-Side Request Forgery

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.9.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
profilegrid-user-profiles-groups-and-communities
Fixed in 5.9.5.3

References

CVE
CVE-2025-49877
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/404fc2d1-0c5d-4734-980e-ae3ac293d1f3

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
fbb24fde-eaee-4b5f-aad7-aebb079d0527

Timeline

Publicly Published
2025-06-12 (about 11 months ago)
Added
2025-06-18 (about 10 months ago)
Last Updated
2025-06-18 (about 10 months ago)

Other

Published
Title
Published
2024-04-29
Title
ZD YouTube FLV Player <= 1.2.6 - Server-Side Request Forgery
Published
2025-06-19
Title
WPThumb <= 0.10 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2025-04-11
Title
Royal Elementor Addons < 1.7.1007 - Admin+ SSRF
Published
2023-11-28
Title
CommentLuv <= 4 - Unauthenticated SSRF
Published
2025-08-21
Title
WP Crontrol - 1.17.0 - 1.19.1 - Authenticated (Administrator+) Blind Server-Side Request Forgery