cleantalk
Vulnerabilities and Security Researches

ProfileGrid – User Profiles, Memberships, Groups and Communities, CVE-2025-6977

CVE, Research URL

CVE-2025-6977

Home page URL

Security reports for ProfileGrid – User Profiles, Memberships, Groups and Communities

Application

ProfileGrid – User Profiles, Memberships, Groups and Communities

Published on
Jul 16, 2025
Research Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘pm_get_messenger_notification’ function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link.
Affected versions
Min -, max 5.9.5.5.
Status
vulnerable
Previous vulnerability researches
BuddyPress & BuddyBoss Member Profile Forms (053af10176d1dc3feead6bb1c45f871d35190797) , Jun 07, 2024
New vulnerability
WooCommerce Affiliate Plugin – Coupon Affiliates (CVE-2025-54022) , Jul 18, 2025
SMTP for Sendinblue – YaySMTP (CVE-2025-48161) , Jul 18, 2025
Theme Builder For Elementor (CVE-2025-54033) , Jul 18, 2025
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks (CVE-2025-54015) , Jul 18, 2025
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks (CVE-2025-7360) , Jul 18, 2025