{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2488", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T21:00:10.000Z", "datePublished": "2026-03-07T01:21:21.720Z", "dateUpdated": "2026-04-08T16:51:15.049Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:15.049Z"}, "affected": [{"vendor": "metagauss", "product": "ProfileGrid \u2013 User Profiles, Groups and Communities", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.9.8.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter)."}], "title": "ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c611fa0-28ef-4425-8614-fb61e250e625?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L5913"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/public/class-profile-magic-public.php#L5913"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/includes/class-profile-magic.php#L372"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/includes/class-profile-magic.php#L372"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3464213%40profilegrid-user-profiles-groups-and-communities&new=3464213%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sergej Ljubojevic"}, {"lang": "en", "type": "finder", "value": "Boris Bogosavac"}], "timeline": [{"time": "2026-02-13T21:19:21.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-06T11:44:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:00:19.369648Z", "id": "CVE-2026-2488", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:34:06.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T19:00:19.369648Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:00:20.492Z"}}], "cna": {"title": "ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Sergej Ljubojevic"}, {"lang": "en", "type": "finder", "value": "Boris Bogosavac"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "metagauss", "product": "ProfileGrid \u2013 User Profiles, Groups and Communities", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.9.8.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T21:19:21.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-06T11:44:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c611fa0-28ef-4425-8614-fb61e250e625?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L5913"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/public/class-profile-magic-public.php#L5913"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/includes/class-profile-magic.php#L372"}, {"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/includes/class-profile-magic.php#L372"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3464213%40profilegrid-user-profiles-groups-and-communities&new=3464213%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:15.049Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2488", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:15.049Z", "dateReserved": "2026-02-13T21:00:10.000Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-07T01:21:21.720Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter)."}, {"lang": "es", "value": "El plugin ProfileGrid \u2013 Perfiles de Usuario, Grupos y Comunidades para WordPress es vulnerable a la eliminaci\u00f3n no autorizada de mensajes debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n pg_delete_msg() en todas las versiones hasta la 5.9.8.1, inclusive. Esto se debe a que la funci\u00f3n no verifica que el usuario solicitante tenga permiso para eliminar el mensaje objetivo. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, eliminen mensajes arbitrarios pertenecientes a cualquier usuario enviando una solicitud directa con un ID de mensaje v\u00e1lido (par\u00e1metro mid)."}], "id": "CVE-2026-2488", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-07T02:16:12.600", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/includes/class-profile-magic.php#L372"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/public/class-profile-magic-public.php#L5913"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/includes/class-profile-magic.php#L372"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L5913"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3464213%40profilegrid-user-profiles-groups-and-communities&new=3464213%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c611fa0-28ef-4425-8614-fb61e250e625?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.9.8.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ProfileGrid \u2013 User Profiles, Groups and Communities", "source": "cna", "vendor": "metagauss"}, "product": "profilegrid_\u2013_user_profiles,_groups_and_communities", "vendor": "metagauss"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:50:15.054161+00:00", "value": {"mitigation_remediation": ["Upgrade the ProfileGrid plugin to a version newer than 5.9.8.1 that includes the missing authorization check.", "If an upgrade cannot be performed immediately, restrict subscriber-level permissions so that the role lacks the capability to delete messages, using a role editor or custom capability plugin.", "Monitor the site\u2019s activity logs for unauthorized message deletions and investigate promptly."], "summary": {"action": "Apply Patch", "impact": "Arbitrary Message Deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the metagauss ProfileGrid WordPress plugin, versions up to and including 5.9.8.1. All WordPress sites that install or use these plugin releases are impacted.", "description_and_impact": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress contains a missing capability check in the pg_delete_msg() function. Because the function does not verify that the requesting user has permission to delete the targeted message, a user with any authenticated role of Subscriber or higher can delete arbitrary messages belonging to other users. This flaw violates data integrity and is classified as CWE\u2011862, Missing Authorization Check.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% points to a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker must first authenticate as a Subscriber or higher role, then supply a valid message ID (mid) in a direct request to the deletion endpoint. No remote code execution or network-level exploit is required, making the attack vector internal to the WordPress installation."}}}}, "created": "2026-03-09T10:06:08.743071+00:00", "updated": "2026-04-15T18:00:15.472050+00:00", "vendors": ["metagauss", "metagauss$PRODUCT$profilegrid_\u2013_user_profiles,_groups_and_communities", "wordpress", "wordpress$PRODUCT$wordpress"]}