Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
ProfileGrid plugin allows attackers to manipulate group memberships
CVE-2026-2494
Summary
The ProfileGrid plugin for WordPress is vulnerable to a security risk that could allow an attacker to manipulate group membership requests. This can happen if an administrator clicks on a malicious link sent by the attacker. To protect your site, update the ProfileGrid plugin to the latest version or remove it if you don't need it.
Original title
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce ...
Original description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
nvd CVSS3.1
4.3
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-...
- https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8ffdb9-b8c6-428c-a04...
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026