PT-2026-56710 · WordPress · Memberships/User Profiles For Woocommerce+1
John
·
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-11359
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration versions prior to 3.5
Description
Authenticated users with Subscriber-level access and above can perform unauthorized installation and activation of the ProfileGrid plugin. This occurs because the
pg install profilegrid() function, handled via the wp ajax pg install profilegrid AJAX endpoint, lacks proper capability checks and nonce validation. A nonce is a unique token used to protect against cross-site request forgery by verifying that the request was intentionally sent by the user.Recommendations
Update the plugin to a version later than 3.4.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Memberships/User Profiles For Woocommerce
Profilegrid