cleantalk
Vulnerabilities and Security Researches

ProfileGrid – User Profiles, Memberships, Groups and Communities, CVE-2026-4610

CVE, Research URL

CVE-2026-4610

Home page URL

Security reports for ProfileGrid – User Profiles, Memberships, Groups and Communities

Application

ProfileGrid – User Profiles, Memberships, Groups and Communities

Published on
Jun 23, 2026
Research Description
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pm_author_message' parameter in the pm_send_message_to_author function in all versions up to, and including, 5.9.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 5.9.8.5.
Affected versions
max 5.9.9.3.
Status
vulnerable
Previous vulnerability researches
Wireless Butler (CVE-2025-26997) , Apr 15, 2025
New vulnerability
Interactive Content – H5P (CVE-2026-56006) , Jun 24, 2026
Transbank Webpay REST (CVE-2026-6858) , Jun 24, 2026
ProfileGrid – User Profiles, Memberships, Groups and Communities (CVE-2026-4610) , Jun 24, 2026
Paymob for WooCommerce (CVE-2026-56025) , Jun 24, 2026
Motors – Car Dealer, Classifieds & Listing (CVE-2026-7859) , Jun 24, 2026