Unauthorized Plugin Installation in WooCommerce Integration Plugin by ProfileGrid
CVE-2026-11359

4.3MEDIUM

What is CVE-2026-11359?

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress, up to version 3.4, is susceptible to an authorization bypass vulnerability. This flaw allows authenticated attackers with Subscriber-level access and above to bypass necessary capability checks, enabling them to install and activate the ProfileGrid plugin without proper authorization. The issue arises from the absence of a nonce validation and missing capability checks in the pg_install_profilegrid() AJAX handler. As a result, users may unknowingly expose their WordPress environments to further security risks.

Affected Version(s)

Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration 0 <= 3.4

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

John
.