PT-2026-56710 · WordPress · Memberships/User Profiles For Woocommerce+1

John

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-11359

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration versions prior to 3.5
Description Authenticated users with Subscriber-level access and above can perform unauthorized installation and activation of the ProfileGrid plugin. This occurs because the pg install profilegrid() function, handled via the wp ajax pg install profilegrid AJAX endpoint, lacks proper capability checks and nonce validation. A nonce is a unique token used to protect against cross-site request forgery by verifying that the request was intentionally sent by the user.
Recommendations Update the plugin to a version later than 3.4.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-11359

Affected Products

Memberships/User Profiles For Woocommerce
Profilegrid