PT-2026-53809 · WordPress · Profilegrid
Ivan Kuzymchak
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-12073
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ProfileGrid – User Profiles, Groups and Communities versions prior to 5.9.9.6
Description
An issue allows unauthenticated attackers to perform privilege escalation via account takeover. The flaw exists because the plugin fails to validate the
user login variable on registration forms that lack this parameter and does not properly handle error messages. This allows an attacker to change the email address of the user account with ID=1, which is typically the administrator, and subsequently reset the password to gain full access to the account.Recommendations
Update ProfileGrid – User Profiles, Groups and Communities to version 5.9.9.6 or later.
Fix
LPE
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Profilegrid