SQL Injection Vulnerability in ProfileGrid Plugin for WordPress
CVE-2025-0723

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Profilegrid – User Profiles, Groups And Communities
Vendor: CVE Published:; 22 March 2025

What is CVE-2025-0723?

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress has a security vulnerability that allows authenticated users, with Subscriber access and above, to perform blind and time-based SQL injections via the rid and search parameters. This occurs due to inadequate escaping of user-supplied input and insufficient preparation in existing SQL queries. Exploiting this vulnerability could enable attackers to append malicious SQL queries to existing ones, potentially leading to unauthorized access to sensitive database information.

Affected Version(s)

ProfileGrid – User Profiles, Groups and Communities * <= 5.9.4.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/profilegrid-us...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 22, 2025
Vulnerability Reserved
Jan 26, 2025

Credit

Ivan Kuzymchak