Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators.
Published: 2026-02-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized profile image modification
Action: Patch
AI Analysis

Impact

The ProfileGrid – User Profiles, Groups and Communities WordPress plugin is affected by insecure direct object reference, recognized as CWE‑639. Because the update_user_meta() function is called outside of the WordPress authorization check in public/partials/crop.php and public/partials/coverimg_crop.php, an authenticated user with Subscriber-level access or higher can directly target the pm_upload_image and pm_upload_cover_image AJAX actions to change any user's profile picture or cover image, even of administrators.

Affected Systems

The Vulnerable component is the ProfileGrid plugin distributed by metagauss. All releases up to and including 5.9.7.2 include the flaw; releases beyond 5.9.7.2 contain the fix.

Risk and Exploitability

With a CVSS score of 5.3 the issue is classified as medium severity. The EPSS score falls below 1%, indicating a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and must craft appropriate AJAX requests to the pm_upload_image or pm_upload_cover_image endpoints. Although the attack vector requires valid credentials, the flaw permits unauthorized modification of user-identifying imagery, potentially impacting trust and accountability on the site, but does not grant remote code execution or compromise broader system integrity.

Generated by OpenCVE AI on April 16, 2026 at 01:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ProfileGrid plugin to any version newer than 5.9.7.2, which removes the insecure authorization check.
  • If a service‑upgrade is not immediately possible, revoke or remove the "Upload Image" capability from Subscriber+ roles or otherwise restrict the pm_upload_image and pm_upload_cover_image AJAX actions to administrator‑only access.
  • Disable or unregister the vulnerable AJAX endpoints by adding a custom code snippet that hooks into the init action to unregister pm_upload_image and pm_upload_cover_image or by applying a security plugin that blocks unused endpoints.

Generated by OpenCVE AI on April 16, 2026 at 01:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss profilegrid
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss profilegrid
Wordpress
Wordpress wordpress

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators.
Title ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Metagauss Profilegrid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:31.484Z

Reserved: 2026-01-20T21:46:58.650Z

Link: CVE-2026-1271

cve-icon Vulnrichment

Updated: 2026-02-05T14:45:00.723Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T10:16:03.440

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses