CVE-2025-0724

Name of the Vulnerable Software and Affected Versions ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.4.5

Description The vulnerability is related to PHP Object Injection via deserialization of untrusted input in the get user meta fields html function. This allows authenticated attackers with Subscriber-level access and above to inject a PHP Object. The impact of this vulnerability depends on the presence of a POP chain in other plugins or themes installed on the site, which could enable actions like deleting arbitrary files, retrieving sensitive data, or executing code.

Recommendations For ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.4.5, consider updating to a version that fixes the PHP Object Injection issue. As a temporary workaround, restrict access to the get user meta fields html function to minimize the risk of exploitation. Additionally, review installed plugins and themes for potential POP chains that could be used in conjunction with this vulnerability.