Overview
A critical privilege escalation vulnerability (CVE-2026-12073) has been disclosed in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. With a CVSS score of 9.8 (Critical), this flaw allows unauthenticated remote attackers to take over arbitrary user accounts, including administrator accounts, without requiring any prior authentication.
All versions of the plugin up to and including 5.9.9.5 are confirmed vulnerable.
Technical Details
The root cause of CVE-2026-12073 lies in how the plugin handles user registration forms. Specifically, the plugin fails to validate the user_login parameter on certain registration form variants that are designed to omit that field. An attacker can craft a registration request that specifies an arbitrary existing username, causing the plugin to associate the new registration session or token with a different account.
This account takeover mechanism then enables privilege escalation — an unauthenticated attacker can target an existing administrator account, assume control of it, and gain full administrative access to the WordPress installation.
Key technical factors:
- No authentication required — the attack is fully unauthenticated
- Any account targetable — attackers can target any existing user including admins
- Registration form abuse — triggered via crafted registration requests
- Missing input validation —
user_loginparameter not validated on specific form types
Impact
The impact of this vulnerability is severe:
- Full site compromise — administrative access enables theme/plugin installation, code execution, and data exfiltration
- Database access — WordPress admins can read and modify all site content and user data
- Backdoor installation — attackers commonly install webshells or malicious plugins post-compromise
- Multi-site environments — in WordPress Multisite setups, a single super-admin compromise can cascade across all subsites
The ProfileGrid plugin is widely deployed across community-driven WordPress sites, membership portals, and social network plugins, making the attack surface significant.
Affected Versions
| Component | Affected Versions |
|---|---|
| ProfileGrid – User Profiles, Groups and Communities | All versions <= 5.9.9.5 |
Remediation
WordPress site administrators should take the following steps immediately:
- Update the plugin to the latest patched version as soon as it becomes available via the WordPress plugin repository
- Audit user accounts — review recently created administrator or elevated accounts for unauthorized activity
- Review access logs — check for unusual registration activity or account logins around the disclosure date
- Consider temporary deactivation if an update is not yet available and the plugin is not business-critical
- Enable WAF rules if your hosting provider or security plugin (Wordfence, Sucuri) offers virtual patching
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 9.8 Critical |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |