Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.4.5 via deserialization of untrusted input in the get_user_meta_fields_html function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2025-03-22
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Code execution via PHP Object Injection when a POP chain is present
Action: Patch
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw in the ProfileGrid plugin’s get_user_meta_fields_html function. An authenticated user with the Subscriber role or higher can supply crafted serialized data that is deserialized without proper validation. The plugin itself does not contain a predefined PHP Object Playground (POP) chain, so the flaw cannot directly execute code. However, if another plugin or theme on the same WordPress installation includes a POP chain, the attacker can leverage that chain to delete files, read sensitive data, or run arbitrary code.

Affected Systems

All WordPress sites running any version of the ProfileGrid – User Profiles, Groups and Communities plugin up to and including 5.9.4.5 are affected. The risk applies only to sites where a vulnerable POP chain is also present, such as unpatched themes or third‑party plugins that deserialize user input.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity scenario. The EPSS score is below 1%, suggesting the exploitation likelihood is currently low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the flaw is exploitable by anyone with Subscriber or greater access and requires only that the site host an additional plugin or theme that contains a PHP Object Injection POP chain. Should such a chain exist, the impact can rise to full code execution or arbitrary file modification.

Generated by OpenCVE AI on April 22, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ProfileGrid plugin to the latest version (5.9.4.6 or higher).
  • Verify that no other installed plugins or themes contain a PHP Object Injection POP chain; if they do, upgrade or remove those components.
  • Restrict Subscriber and lower roles from accessing the get_user_meta_fields_html endpoint, or disable that feature for non-privileged users.

Generated by OpenCVE AI on April 22, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7194 The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.4.5 via deserialization of untrusted input in the get_user_meta_fields_html function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
History

Tue, 01 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss profilegrid
CPEs cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*
Vendors & Products Metagauss
Metagauss profilegrid

Sat, 22 Mar 2025 04:45:00 +0000

Type Values Removed Values Added
Description The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.4.5 via deserialization of untrusted input in the get_user_meta_fields_html function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.5 - Authenticated (Subscriber+) PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Metagauss Profilegrid
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:03.467Z

Reserved: 2025-01-26T23:46:47.255Z

Link: CVE-2025-0724

cve-icon Vulnrichment

Updated: 2025-04-01T16:32:15.225Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-22T05:15:38.200

Modified: 2025-03-27T00:43:04.040

Link: CVE-2025-0724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses