Impact
An unauthenticated Cross‑Site Request Forgery flaw exists in the ProfileGrid WordPress plugin versions up to 5.9.9.7. An attacker can send a crafted HTTP request that the plugin accepts without verifying the origin or a valid nonce. This allows the attacker to duplicate any logged‑in user action, effectively taking over the victim’s account or manipulating user data. The weakness is a classic CSRF flaw identified as CWE‑352.
Affected Systems
The vulnerability affects the ProfileGrid plugin from the vendor Metagauss, installed on WordPress sites where the plugin version is 5.9.9.7 or earlier. Any site running these versions with the plugin active is potentially compromised.
Risk and Exploitability
With a CVSS score of 8.8, the flaw is considered high severity. No EPSS score is available, and it is not listed in CISA’s KEV catalog. The attack vector is likely via a crafted URL or form submission that a victim’s browser can unknowingly execute, so active user traffic presents the main risk window.
OpenCVE Enrichment