CVE-2019-15873

Name of the Vulnerable Software and Affected Versions profilegrid-user-profiles-groups-and-communities plugin versions prior to 2.8.6

Description The issue allows for remote code execution. This can be achieved through a request to the wp-admin/admin-ajax.php endpoint with specific parameters, including action=pm template preview and html containing a PHP code substring, such as <?php followed by PHP code.

Recommendations For versions prior to 2.8.6, update to version 2.8.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin-ajax.php endpoint or disabling the action=pm template preview functionality until the update is applied. Avoid using the html parameter in the affected endpoint with potentially malicious input until the issue is resolved.