Platform
wordpress
Component
profilegrid-user-profiles-groups-and-communities
Fixed in
5.9.9
CVE-2026-2494 describes a Cross-Site Request Forgery (CSRF) vulnerability present in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. This flaw allows unauthenticated attackers to potentially manipulate group membership requests by tricking administrators into performing actions. The vulnerability affects versions from 0.0.0 up to and including 5.9.8.2, and a fix is available in version 5.9.8.3.
The core impact of CVE-2026-2494 lies in the ability of an attacker to leverage CSRF to control group membership within a WordPress site using the ProfileGrid plugin. An attacker could craft a malicious link or embed a hidden form on a website that, when visited by an administrator, would automatically approve or deny group membership requests without their knowledge or consent. This could lead to unauthorized users gaining access to restricted groups or legitimate users being unfairly denied access. The blast radius is limited to sites utilizing the ProfileGrid plugin, but the potential for disruption and unauthorized access warrants immediate attention.
CVE-2026-2494 was publicly disclosed on 2026-03-07. No public proof-of-concept (POC) code has been identified at the time of writing. The EPSS score is likely to be low due to the requirement of tricking an administrator into clicking a malicious link, but the potential impact warrants monitoring. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2494 is to immediately upgrade the ProfileGrid plugin to version 5.9.8.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule targeting this specific CSRF vulnerability might be difficult to create, general CSRF protection rules can help mitigate the risk. Carefully review and restrict access to the membership request management page, limiting access to authorized administrators only. Regularly audit user roles and group memberships to detect any unauthorized changes.
Update to version 5.9.8.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2494 is a Cross-Site Request Forgery (CSRF) vulnerability affecting ProfileGrid WordPress plugins versions 0.0.0–5.9.8.2, allowing attackers to manipulate group membership requests.
If you are using ProfileGrid plugin versions 0.0.0 through 5.9.8.2 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the ProfileGrid plugin to version 5.9.8.3 or later to resolve the CSRF vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current assessment, there are no confirmed reports of active exploitation of CVE-2026-2494, but it's crucial to apply the patch promptly.
Refer to the official ProfileGrid website and WordPress plugin repository for the latest advisory and update information regarding CVE-2026-2494.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.