Vulnerability Brief

CVE-2026-4610

What this means for your business

A security vulnerability in the WordPress plugin ProfileGrid could allow an attacker who has a basic level of access to inject malicious code into a website, potentially stealing sensitive information or taking control of the site. This could lead to financial losses, damage to reputation, or even a complete loss of customer trust. To protect your business, it's essential to update the plugin to the latest patched version or remove it altogether if it's no longer needed.

Severity: MEDIUM
CVSS score: 6.4

Technical summary

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5.