CVE-2026-1271

Name of the Vulnerable Software and Affected Versions ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions through 5.9.7.2

Description The ProfileGrid plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to the update user meta() function being called without proper user authorization checks in the files public/partials/crop.php and public/partials/coverimg crop.php. Authenticated attackers with Subscriber-level access or higher can modify profile pictures or cover images of any user, including administrators, through the 'pm upload image' and 'pm upload cover image' AJAX actions.

Recommendations Versions prior to 5.9.7.2 should be updated.