Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Stored XSS.This issue affects ProfileGrid : from n/a through <= 5.9.8.1.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that occurs when user input is not properly neutralized before display. Attackers could inject malicious scripts that are executed in the browsers of all visitors to the affected WordPress site. This could result in theft of session cookies, defacement, or further client‑side attacks.

Affected Systems

Any WordPress installation that has the Metagauss ProfileGrid plugin version 5.9.8.1 or older is affected. The plugin allows community and user profile management, and the flaw exists in all versions up to and including 5.9.8.1.

Risk and Exploitability

The CVSS base score is 6.5, indicating moderate risk. No EPSS score is currently reported, and the vulnerability is not on CISA’s KEV list. Exploitation requires finding an input vector within the plugin’s UI; once injected, the payload is stored and served to all users, so an attacker only needs to persuade a user to act or exploit a secondary vector to inject data. Remediation is best handled through an immediate update.

Generated by OpenCVE AI on March 25, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ProfileGrid plugin to the latest version (>= 5.9.8.2).
  • If an update is not possible, disable the plugin or restrict its usage until a patch is applied.
  • Verify that no unintended input fields remain accessible and configure appropriate security headers such as Content‑Security‑Policy.
  • Keep your WordPress core and other plugins up to date to reduce overall attack surface.

Generated by OpenCVE AI on March 25, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss profilegrid
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss profilegrid
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Stored XSS.This issue affects ProfileGrid : from n/a through <= 5.9.8.1.
Title WordPress ProfileGrid plugin <= 5.9.8.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Metagauss Profilegrid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:33.513Z

Reserved: 2026-02-02T12:53:26.261Z

Link: CVE-2026-25417

cve-icon Vulnrichment

Updated: 2026-03-25T20:23:03.791Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:50.317

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-25417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:41Z

Weaknesses