The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PUBLISHED5.2CWE-352
ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial
Problem type
Affected products
metagauss
ProfileGrid – User Profiles, Groups and Communities
<= 5.9.8.2 - AFFECTED
References
wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8ffdb9-b8c6-428c-a047-8e5286b2c2fb?source=cve
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/partials/pm-membership-requests.php#L14
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/admin/partials/pm-membership-requests.php#L14
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3472582%40profilegrid-user-profiles-groups-and-communities&new=3472582%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail=
GitHub Security Advisories
GHSA-2465-v3qx-qvx6
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to...
https://github.com/advisories/GHSA-2465-v3qx-qvx6The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-2494
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/admin/partials/pm-membership-requests.php#L14
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/partials/pm-membership-requests.php#L14
plugins.trac.wordpress.org
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3472582%40profilegrid-user-profiles-groups-and-communities&new=3472582%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail=
wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8ffdb9-b8c6-428c-a047-8e5286b2c2fb?source=cve
github.com
https://github.com/advisories/GHSA-2465-v3qx-qvx6
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-2494Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-2494",
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"dateUpdated": "2026-03-07T01:21:22.065Z",
"dateReserved": "2026-02-13T21:16:27.567Z",
"datePublished": "2026-03-07T01:21:22.065Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence",
"dateUpdated": "2026-03-07T01:21:22.065Z"
},
"title": "ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial",
"descriptions": [
{
"lang": "en",
"value": "The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"affected": [
{
"vendor": "metagauss",
"product": "ProfileGrid – User Profiles, Groups and Communities",
"defaultStatus": "unaffected",
"versions": [
{
"version": "*",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "5.9.8.2"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"cweId": "CWE-352",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8ffdb9-b8c6-428c-a047-8e5286b2c2fb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/partials/pm-membership-requests.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/admin/partials/pm-membership-requests.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3472582%40profilegrid-user-profiles-groups-and-communities&new=3472582%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail="
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"baseScore": 4.3,
"baseSeverity": "MEDIUM"
}
}
],
"timeline": [
{
"time": "2026-02-18T21:12:14.000Z",
"lang": "en",
"value": "Vendor Notified"
},
{
"time": "2026-03-06T11:37:07.000Z",
"lang": "en",
"value": "Disclosed"
}
],
"credits": [
{
"lang": "en",
"value": "Sergej Ljubojevic",
"type": "finder"
},
{
"lang": "en",
"value": "Boris Bogosavac",
"type": "finder"
}
]
}
}
}