Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.4.8.
Published: 2025-04-17
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is an improper neutralization of special elements in SQL commands within the Metagauss ProfileGrid plugin for WordPress, classified as CWE-89. An attacker could inject arbitrary SQL statements, potentially exfiltrating, modifying, or deleting data in the WordPress database. The vulnerability exists in all plugin versions up to and including 5.9.4.8.

Affected Systems

The affected product is the Metagauss ProfileGrid WordPress plugin, versions 5.9.4.8 and earlier. Any WordPress site that has installed this plugin and is running a database compatible with the plugin’s queries is at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity, while the EPSS score of less than 1% suggests that the probability of exploitation is low but not negligible. The risk is not yet cataloged by CISA KEV. The likely attack vector is via the plugin’s web interface or API endpoints that accept user input without proper sanitization. No authentication requirement is specified, so the vulnerability could potentially be exploited by unauthenticated users, but the CVE description does not explicitly confirm this; it is inferred from the nature of a typical SQL injection in a WordPress plugin.

Generated by OpenCVE AI on April 30, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProfileGrid plugin to the latest version, at minimum 5.9.4.9 or newer, as the fix removes the injection point.
  • If an upgrade is temporarily infeasible, restrict or block access to the vulnerable plugin endpoints using a web‑application firewall or custom rules to reject malicious SQL payloads.
  • Limit database permissions for the WordPress application account to only the schemas and tables required, so that even if injection succeeds, the damage is contained.

Generated by OpenCVE AI on April 30, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11755 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.4.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.4.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.4.8.
Title WordPress ProfileGrid <= 5.9.4.8 - SQL Injection Vulnerability WordPress ProfileGrid plugin <= 5.9.4.8 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.4.8.
Title WordPress ProfileGrid <= 5.9.4.8 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Metagauss Profilegrid
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:35.354Z

Reserved: 2025-04-16T06:26:44.221Z

Link: CVE-2025-39586

cve-icon Vulnrichment

Updated: 2025-04-17T18:09:33.187Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:58.710

Modified: 2026-04-23T15:29:50.373

Link: CVE-2025-39586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:15:16Z

Weaknesses