The vulnerability is a stored cross‑site scripting flaw triggered by the pm_author_message parameter in the pm_send_message_to_author function. Authenticated users with Subscriber level permissions can inject arbitrary JavaScript into a message that is later rendered on a target’s page. When the target accesses a page containing the injected content, the script runs in the target’s browser, enabling theft of session tokens, cookies, or the execution of malicious actions in the victim’s context. The flaw is a classic input validation and output escaping weakness (CWE‑79).

All instances of the ProfileGrid – User Profiles, Groups and Communities WordPress plugin from versions up to and including 5.9.9.2 are affected. The plugin is developed by metagauss and the flaw resides in the core message‑handling code, making every site that has installed the mentioned or older versions vulnerable.

The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score is unavailable, and the flaw is not listed in the CISA KEV catalog, suggesting there is no known large‑scale exploitation. Inference: the attack requires authenticated access at the Subscriber level; therefore, attackers must first compromise or guess valid credentials. Once authenticated, they can craft a malicious message and later have other users view the affected page to trigger the script execution. The risk is that any user with a valid session who can view the message will be compromised, but the vulnerability cannot be triggered without an initial authenticated foothold.