Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pm_get_messenger_notification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link.
Published: 2025-07-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the pm_get_messenger_notification function of the ProfileGrid plugin for WordPress. User input is not properly sanitized or escaped before being reflected back to the browser. This flaw, classified as CWE‑79, allows an unauthenticated attacker to embed malicious scripts in a crafted link. When a logged‑in user follows that link, the script runs in the context of the victim’s account, enabling session hijacking, data theft, or defacement.

Affected Systems

All installations of the metagauss ProfileGrid – User Profiles, Groups and Communities plugin for WordPress version 5.9.5.4 or earlier are affected. The issue exists across all WordPress sites that support this plugin version.

Risk and Exploitability

The CVSS score of 6.1 indicates significant impact with medium exploitability. The EPSS score is below 1 %, implying that while the vulnerability exists, it is considered a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker can gain access without authentication and must solely rely on persuading a logged‑in user to click a malicious link, which is a feasible social‑engineering scenario on most public sites.

Generated by OpenCVE AI on April 20, 2026 at 20:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ProfileGrid plugin to the latest available release (5.9.5.5 or newer).
  • If an update is unavailable, override or replace the pm_get_messenger_notification function with a version that sanitizes output using wp_kses or similar escaping functions.
  • Implement a security‑focused WordPress plugin or host‑level filter to detect and block XSS payloads, and configure alerts for suspicious link clicks.

Generated by OpenCVE AI on April 20, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21573 The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pm_get_messenger_notification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link.
History

Fri, 18 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss profilegrid
CPEs cpe:2.3:a:metagauss:profilegrid:*:*:*:*:*:wordpress:*:*
Vendors & Products Metagauss
Metagauss profilegrid

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00093}

Wed, 16 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pm_get_messenger_notification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link.
Title ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.4 - Reflected Cross-Site Scripting via 'pm_get_messenger_notification' function
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Metagauss Profilegrid
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:14.192Z

Reserved: 2025-07-01T15:44:06.247Z

Link: CVE-2025-6977

cve-icon Vulnrichment

Updated: 2025-07-18T14:45:48.404Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-16T05:15:35.223

Modified: 2025-07-16T19:57:43.863

Link: CVE-2025-6977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses