Stored Cross-Site Scripting Vulnerability in ProfileGrid Plugin for WordPress
CVE-2026-4610

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Profilegrid – User Profiles, Groups And Communities
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-4610?

The ProfileGrid plugin for WordPress contains a vulnerability that allows authenticated users with Subscriber-level access or higher to exploit the 'pm_author_message' parameter in the pm_send_message_to_author function. This flaw arises from inadequate input sanitization and output encoding, enabling attackers to inject malicious scripts. When users access affected pages, these scripts may execute, compromising user data and session integrity. Although a partial fix was introduced in version 5.9.8.5, earlier versions remain vulnerable, highlighting the importance of timely updates and secure coding practices.

Affected Version(s)

ProfileGrid – User Profiles, Groups and Communities 0 <= 5.9.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/profilegrid-us...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Jonah Burgess

CVE-2026-4610 Data

JSON