CVE-2026-12073: ProfileGrid WordPress Plugin Vulnerability
| Field | Value |
|---|---|
| CVE ID | CVE-2026-12073 |
| CVSS score | 9.8 Critical |
| Attack vector | Network / unauthenticated web attack |
| Auth required | None |
| Patch status | Yes, patched in a release after 5.9.9.5; exact fixed version not confirmed from retrieved primary source |
TL;DR - Critical unauthenticated account takeover in the ProfileGrid WordPress plugin. - Affects all versions up to and including 5.9.9.5. - Upgrade immediately to a version newer than 5.9.9.5 and review admin account email and password reset activity.
Vulnerability at a Glance
CVE-2026-12073 affects ProfileGrid – User Profiles, Groups and Communities, a WordPress plugin associated with ProfileGrid / Metagauss. According to the NVD description, the plugin is vulnerable to privilege escalation via account takeover in all versions up to and including 5.9.9.5. The core issue is a logic flaw in registration handling: the plugin fails to validate the user_login parameter on registration forms when that parameter is missing, and it does not safely handle the resulting error state.
The practical impact is severe. An unauthenticated attacker can allegedly change the email address of user ID 1, which is often the original WordPress administrator account, then request a password reset and take over that account. This is why the issue carries a CVSS 9.8 score. Even without evidence of mass exploitation, defenders should treat this as an urgent patching and incident review item because it directly targets administrative control of the site.
What This Vulnerability Actually Means
This is not a memory corruption bug or a low-impact information leak. It is an application-logic flaw in a high-exposure workflow: user registration. For many WordPress sites, registration endpoints are publicly reachable by design, and plugins that extend community or membership features often add complex paths for account creation and profile management. When those flows fail to validate critical identity fields, attackers can sometimes pivot into account manipulation.
In this case, the NVD states that the flaw can be used to change the email address on user account ID 1 and then leverage the normal password reset process. That matters because password reset is a trusted path inside WordPress operations. If an attacker can first swap the email address on a privileged account, the rest of the compromise can look like a legitimate reset rather than a classic brute-force or credential stuffing event. For defenders, the “so what” is simple: patching is necessary, but so is review of historical user-profile and password-reset activity.
Technical Notes
The behavior described by NVD indicates a likely abuse chain similar to:
- Submit a crafted registration request where
user_loginis omitted or manipulated. - Trigger erroneous handling in the plugin.
- Change the email address associated with user ID 1.
- Request a password reset for that administrator account.
- Complete takeover through the reset link.
Because the upstream patch reference was not directly retrievable in this environment, defenders should avoid relying on guessed internals. The verified root cause remains: missing user_login validation and improper error handling in registration forms.
Exploitation Status, PoC Status, and Defender Assumptions
Based on the collected source material, exploitation in the wild is not confirmed. The CVE is not currently listed in CISA KEV, which means there is no public CISA designation that active exploitation is known and widespread enough to require urgent federal action. That is useful context, but it should not be confused with safety. KEV omission is not proof that attackers are ignoring the bug.
Likewise, no verified public PoC was confirmed from the collected references. The research note specifically found no clearly attributable public GitHub or other proof-of-concept tied to CVE-2026-12073 in the reviewed results. In practice, defenders should assume that a bug with a straightforward account-takeover chain in a popular web platform can be independently rediscovered quickly, especially once patch diffs or changelog hints exist.
To state this clearly:
- Confirmed in the wild exploitation: Unknown / not confirmed from collected sources
- Public PoC availability: Unknown / no verified public PoC confirmed from collected sources
- CISA KEV listing: No
In the absence of confirmed exploitation data, the right defender assumption is not “low risk.” It is “high-impact, low-friction vulnerability with public-facing exposure,” which still warrants urgent remediation.
Bottom Line
CVE-2026-12073 is a critical unauthenticated account-takeover vulnerability in the ProfileGrid WordPress plugin. It affects all versions through 5.9.9.5, and the fix is tied to a release after 5.9.9.5, though the exact fixed version was not directly confirmed from the retrieved primary patch reference. There is no confirmed public PoC and no confirmed in-the-wild exploitation in the collected material, but the impact and simplicity of the described attack path make this a high-priority patching issue.
If you run ProfileGrid, identify exposed instances now, upgrade immediately, and review audit trails for administrator email changes and password reset activity. For more information on WordPress security, check out our articles on CVE Definitions and What is a Bastion Host.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Affected Versions and Patch Status
The affected version range is explicitly stated as all versions up to and including 5.9.9.5. If your site runs ProfileGrid at 5.9.9.5 or earlier, it should be considered vulnerable unless you have a compensating control that fully disables the vulnerable registration path. The product identified in the source material is ProfileGrid – User Profiles, Groups and Communities for WordPress.
Patch availability is less precise than many defenders would like. The NVD references a WordPress plugin Trac changeset, 3578435, which strongly indicates that a fix exists in a release after 5.9.9.5. However, the exact fixed release number was not directly confirmed from the retrieved advisory content because the patch reference could not be fetched in this collection environment. That means the defensible statement is: upgrade to a version newer than 5.9.9.5 and verify with the plugin changelog or vendor release notes before closing the ticket.
| Product | Affected Versions | Fixed Version |
|---|---|---|
| ProfileGrid – User Profiles, Groups and Communities | All versions up to and including 5.9.9.5 | Unknown from retrieved primary source; patched in a release after 5.9.9.5 |
If your asset inventory only tracks WordPress core and not plugins, this is a good reminder that plugin SBOM and version visibility matters. Many WordPress compromises happen through extensions rather than the CMS itself, and missing plugin version data slows both patching and retrospective investigation.
How to Detect Possible Exploitation
Start with exposure validation. Enumerate WordPress sites running ProfileGrid and identify versions 5.9.9.5 and earlier. Then focus on signs of account manipulation affecting the primary administrative account, especially user ID 1, unusual email address changes, and password reset activity shortly afterward. Because the flaw abuses an application workflow rather than dropping malware, web and application logs are more valuable than endpoint telemetry.
You should also review whether public registration was enabled and whether ProfileGrid registration forms were reachable from the internet during the vulnerable window. If registration was disabled globally but the plugin still exposed relevant endpoints, do not assume immunity without testing. Also inspect any security plugin alerts, SMTP logs, and WordPress audit trails for changes to admin profile data, because the compromise path likely involves a reset email being sent after the email address swap.
Technical Notes
Potential indicators worth hunting for include:
- POST requests to registration or profile-related endpoints tied to ProfileGrid
- Admin email change events for user ID 1
- Password reset events immediately following profile or email changes
- New administrator sessions from unusual IPs after a reset
Example log patterns to review:
POST /wp-login.php?action=lostpassword
POST /register
POST /wp-admin/admin-ajax.php
POST /?rest_route=
If you have WordPress audit logs or a plugin such as WP Activity Log, look for patterns like:
User profile updated
Changed email address for user ID 1
Password reset requested
Password changed
Administrator logged in
Example grep-based triage on common access logs:
grep -E 'POST .*wp-login\.php\?action=lostpassword|POST .*register|POST .*admin-ajax\.php' /var/log/nginx/access.log
grep -E 'POST .*wp-login\.php\?action=lostpassword|POST .*register|POST .*admin-ajax\.php' /var/log/apache2/access.log
Example Splunk search for suspicious reset activity:
index=web (uri_path="/wp-login.php" AND uri_query="action=lostpassword") OR (http_method=POST AND (uri_path="/register" OR uri_path="/wp-admin/admin-ajax.php"))
| stats count min(_time) as first_seen max(_time) as last_seen by src_ip, http_method, uri_path, uri_query, user_agent
| sort - last_seen
If you have database or application audit visibility, also review changes to the wp_users.user_email value for the administrative account. Exact schema and table prefix may vary.
Mitigation and Patching
The primary mitigation is to upgrade ProfileGrid to a version newer than 5.9.9.5. Because the exact fixed version was not directly confirmed in the retrieved advisory material, defenders should check the plugin’s current changelog in WordPress or the vendor site and ensure the installed version is the release that contains the fix associated with the referenced changeset. If you cannot immediately verify the fixed release, the safe course is to upgrade to the latest available stable version from the official source.
If immediate patching is not possible, reduce exposure. Temporarily disable public registration features that depend on ProfileGrid, restrict access to registration endpoints with a WAF or reverse proxy rule, and closely monitor password reset activity. These workarounds are operationally useful but should be considered temporary only. Because the flaw is tied to registration logic, the safest interim control is to remove or disable the vulnerable plugin until you can patch.
Technical Notes
For sites managed with WP-CLI, first verify the installed plugin version:
wp plugin list | grep profilegrid
Then update from the official repository:
wp plugin update profilegrid-user-profiles-groups-and-communities
If you need to disable the plugin immediately while validating the fixed release:
wp plugin deactivate profilegrid-user-profiles-groups-and-communities
Possible temporary Apache restriction example for registration-related paths:
<LocationMatch "/(register|wp-login\.php)">
Require ip 203.0.113.10
</LocationMatch>
Possible temporary Nginx restriction example:
location ~* ^/(register|wp-login\.php)$ {
allow 203.0.113.10;
deny all;
}
If you disable password reset temporarily as an emergency control, document the business impact first and restore normal workflows after patching. After remediation, rotate credentials for privileged accounts, verify the administrator email addresses, and invalidate active sessions if compromise is suspected.
Incident Response Considerations
If you discover suspicious admin email changes or unexplained password reset events, treat the site as potentially compromised. Administrative takeover in WordPress often leads to secondary actions such as rogue admin creation, theme or plugin modification, SEO spam insertion, web shell placement, credential theft, or malicious redirects. The initial account takeover may be only the first stage.
A reasonable response workflow is to preserve logs, snapshot the site, reset all administrator passwords, rotate hosting and database credentials, review installed plugins and themes, and compare critical files against known-good versions. Also inspect outbound mail logs for reset messages and review the wp_users and wp_usermeta tables for unauthorized administrator accounts or changed metadata. If user data was accessible from the admin panel, assess whether notification or regulatory steps are necessary.
References
- NVD CVE record: https://nvd.nist.gov/
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- WordPress plugin listing: https://wordpress.org/plugins/profilegrid-user-profiles-groups-and-communities
- Official product site: https://profilegrid.co
- Patch reference cited by NVD: https://plugins.trac.wordpress.org/changeset/3578435/
- Wordfence reference cited by NVD: https://www.wordfence.com/threat-intel/vulnerabilities/id/2d35279d-299e-4ca2-8f84-165284e058c8?source=cve