Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Blind SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.5.3.
Published: 2025-08-14
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of special elements in SQL commands, known as a blind SQL Injection. The flaw resides in the ProfileGrid plugin for WordPress, where user‑supplied data is incorporated into database queries without proper parameterization. Because the injection is blind, an attacker can deduce information from error or timing responses, and can also perform destructive actions such as modifying or deleting records. The issue is formally categorized as CWE‑89 and can lead to confidentiality, integrity, and availability impacts on the underlying database. Affected systems include any WordPress installation running the Metagauss ProfileGrid plugin up to and including version 5.9.5.3. Software and other WordPress components are unaffected; the attack vector requires that the vulnerable plugin be installed and publicly reachable. Sites that process user input through the plugin are at risk, while those that have removed or disabled the plugin no longer expose this code path. The risk is rated moderate to high. The CVSS score of 8.5 reflects the serious potential impact if an attacker succeeds. The EPSS score of less than 1% indicates that, as of the latest data, real‑world exploitation is uncommon, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw can be triggered via simple HTTP requests and does not require privileged server access, it remains a high‑priority concern for site administrators.

Affected Systems

Affected systems include any WordPress installation running the Metagauss ProfileGrid plugin up to and including version 5.9.5.3. Software and other WordPress components are unaffected; the attack vector requires that the vulnerable plugin be installed and publicly reachable. Sites that process user input through the plugin are at risk, while those that have removed or disabled the plugin no longer expose this code path.

Risk and Exploitability

The risk is moderate to high. The CVSS score of 8.5 indicates a serious potential for confidentiality, integrity, and availability impact. The EPSS score of less than 1% suggests that real‑world exploitation is uncommon, and the vulnerability is not listed in the CISA KEV catalog. However, the flaw can be triggered via simple HTTP requests without privileged server access, making it a high‑priority concern for site administrators.

Generated by OpenCVE AI on May 2, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ProfileGrid plugin to the latest available version containing the vendor‑supplied fix.
  • If an update cannot be applied immediately, remove or disable the ProfileGrid plugin from the WordPress site until the patch is available, eliminating the vulnerable code path.
  • In the long term, audit the plugin’s database interactions to ensure all queries use prepared statements or proper parameterization and confirm that all user input is validated or sanitized before use.

Generated by OpenCVE AI on May 2, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24752 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows Blind SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows Blind SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Blind SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.5.3.
Title WordPress ProfileGrid <= 5.9.5.3 - SQL Injection Vulnerability WordPress ProfileGrid plugin <= 5.9.5.3 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss profilegrid
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss profilegrid
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows Blind SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.3.
Title WordPress ProfileGrid <= 5.9.5.3 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Metagauss Profilegrid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.824Z

Reserved: 2025-05-30T14:04:14.279Z

Link: CVE-2025-49033

cve-icon Vulnrichment

Updated: 2025-08-14T14:17:47.599Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:35.620

Modified: 2026-04-23T15:31:11.910

Link: CVE-2025-49033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:15:06Z

Weaknesses