Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.5.2.
Published: 2025-07-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection caused by improper neutralization of special elements, allowing an attacker to craft and execute arbitrary SQL statements against the WordPress database. This flaw permits disclosure, modification, or deletion of sensitive data and is identified as CWE‑89.

Affected Systems

Vendors Metagauss and the ProfileGrid plugin are affected. All releases up to and including version 5.9.5.2 are susceptible; versions newer than 5.9.5.2 are not known to contain the flaw.

Risk and Exploitability

The CVSS score of 8.5 indicates that the vulnerability is high in severity. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote, achievable via malicious input submitted through the plugin’s web interface. No explicit authentication requirement is mentioned, implying that users with minimal access or unauthenticated attackers could exploit the flaw.

Generated by OpenCVE AI on April 30, 2026 at 09:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a newer version of ProfileGrid that removes the SQL injection vulnerability (e.g., version 5.9.5.3 or later).
  • Deploy a web application firewall or implement input sanitization that blocks suspicious SQL syntax on the plugin’s input fields.
  • Ensure the WordPress database user has only the minimum privileges required by the plugin, removing any SUPER or EXECUTE rights that could amplify the impact of injected queries.

Generated by OpenCVE AI on April 30, 2026 at 09:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21629 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.5.2.
Title WordPress ProfileGrid <= 5.9.5.2 - SQL Injection Vulnerability WordPress ProfileGrid plugin <= 5.9.5.2 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 16 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00028}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.2.
Title WordPress ProfileGrid <= 5.9.5.2 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Metagauss Profilegrid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:06.707Z

Reserved: 2025-06-11T16:06:15.665Z

Link: CVE-2025-49876

cve-icon Vulnrichment

Updated: 2025-07-16T20:24:25.635Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:28.083

Modified: 2026-04-23T15:31:45.963

Link: CVE-2025-49876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:30:15Z

Weaknesses