SQL Injection Vulnerability in ProfileGrid Plugin for WordPress
CVE-2025-0723

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Profilegrid – User Profiles, Groups And Communities
Vendor
CVE Published:
22 March 2025

What is CVE-2025-0723?

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress has a security vulnerability that allows authenticated users, with Subscriber access and above, to perform blind and time-based SQL injections via the rid and search parameters. This occurs due to inadequate escaping of user-supplied input and insufficient preparation in existing SQL queries. Exploiting this vulnerability could enable attackers to append malicious SQL queries to existing ones, potentially leading to unauthorized access to sensitive database information.

Affected Version(s)

ProfileGrid – User Profiles, Groups and Communities * <= 5.9.4.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/profilegrid-us...
https://plugins.trac.wordpress.org/browser/profilegrid-us...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ivan Kuzymchak
.
The Cyber Security Vulnerability Database.