CVE-2025-26999
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-26999 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Metagauss ProfileGrid WordPress plugin, known as profilegrid-user-profiles-groups-and-communities. The flaw enables Object Injection and affects all versions of the plugin from n/a through 5.9.4.3 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An authenticated attacker with low privileges (PR:L), such as a standard WordPress user, can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to arbitrary code execution or other severe consequences via the object injection mechanism.
The Patchstack advisory provides further details on this PHP Object Injection vulnerability in ProfileGrid version 5.9.4.3, available at https://patchstack.com/database/Wordpress/Plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-plugin-5-9-4-3-php-object-injection-vulnerability?_s_id=cve. Security practitioners should consult this reference for mitigation guidance, such as updating to a patched version if available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Deserialization/object injection vulnerability in public-facing WordPress plugin enables remote exploitation by authenticated low-priv users leading to arbitrary code execution (T1190) and privilege escalation (T1068).