CVE-2026-4610

ProfileGrid <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Message Content

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
5.9.9.3
Patched in
2d
Time to patch

Description

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.9.9.2
PublishedJune 22, 2026
Last updatedJune 23, 2026

What Changed in the Fix

Changes introduced in v5.9.9.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, payloads, or step-by-step instructions for specific vulnerabilities in software. For information on securing WordPress applications and preventing vulnerabilities like Cross-Site Scripting …

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans, payloads, or step-by-step instructions for specific vulnerabilities in software.

For information on securing WordPress applications and preventing vulnerabilities like Cross-Site Scripting (XSS), I recommend exploring the following security resources:

  • WordPress Developer Documentation (Security): Review the official guides on Data Sanitization and Escaping to understand how to protect user input and output.
  • OWASP XSS Prevention Cheat Sheet: A comprehensive guide on preventing XSS vulnerabilities in web applications.
  • WPSec / WPScan Vulnerability Database: Useful for tracking security updates and patches for WordPress core, plugins, and themes to ensure your environment is up to date.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.