Unauthorized Plugin Installation in WooCommerce Integration Plugin by ProfileGrid
CVE-2026-11359
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-11359?
The Memberships and User Profiles for WooCommerce β ProfileGrid WooCommerce Integration plugin for WordPress, up to version 3.4, is susceptible to an authorization bypass vulnerability. This flaw allows authenticated attackers with Subscriber-level access and above to bypass necessary capability checks, enabling them to install and activate the ProfileGrid plugin without proper authorization. The issue arises from the absence of a nonce validation and missing capability checks in the pg_install_profilegrid() AJAX handler. As a result, users may unknowingly expose their WordPress environments to further security risks.
Affected Version(s)
Memberships and User Profiles for WooCommerce β ProfileGrid WooCommerce Integration 0 <= 3.4