Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49876

CVE-2025-49876: ProfileGrid SQL Injection Vulnerability

CVE-2025-49876 is a SQL injection flaw in ProfileGrid User Profiles plugin that allows attackers to execute malicious SQL commands. This article covers the technical details, affected versions up to 5.9.5.2, and mitigation.

Published:

CVE-2025-49876 Overview

CVE-2025-49876 is a SQL Injection vulnerability in the Metagauss ProfileGrid plugin for WordPress, tracked as profilegrid-user-profiles-groups-and-communities. The flaw stems from improper neutralization of special elements used in an SQL command [CWE-89]. It affects ProfileGrid versions from n/a through <= 5.9.5.2. An authenticated attacker with low privileges can inject crafted SQL statements through plugin input handlers. Successful exploitation allows attackers to read sensitive database contents and disrupt service availability. The scope is changed, meaning impact extends beyond the vulnerable component to other site resources.

Critical Impact

Authenticated attackers can execute arbitrary SQL queries against the WordPress database, exposing user data and supporting privilege escalation across the site.

Affected Products

  • Metagauss ProfileGrid plugin for WordPress
  • ProfileGrid versions through 5.9.5.2
  • WordPress sites using profilegrid-user-profiles-groups-and-communities

Discovery Timeline

  • 2025-07-16 - CVE-2025-49876 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-49876

Vulnerability Analysis

The vulnerability allows SQL Injection in the ProfileGrid plugin used for WordPress user profiles, groups, and communities. ProfileGrid handles user input parameters that are concatenated into SQL queries without proper sanitization or parameterization. An attacker with low-level authenticated access, such as a subscriber account, can submit crafted input that alters query logic. The CWE-89 classification confirms the root issue is failure to neutralize special SQL characters.

The EPSS score is 0.309% with a percentile of 22.337, indicating moderate predicted exploitation likelihood relative to peer CVEs. No public exploit is currently confirmed, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

Root Cause

The root cause is the construction of SQL queries using unsanitized user-supplied input within ProfileGrid request handlers. The plugin fails to apply prepared statements or escape input using WordPress functions such as $wpdb->prepare(). This pattern allows special SQL metacharacters to break out of intended query context.

Attack Vector

The attack vector is network-based and requires low privileges with no user interaction. An authenticated attacker sends crafted HTTP requests to plugin endpoints that pass parameters into vulnerable database queries. Because the CVSS scope is changed, query results can reach data outside the plugin's own tables, including core WordPress user and option tables.

The vulnerability manifests in ProfileGrid request handlers that interpolate user input into SQL queries. See the Patchstack Vulnerability Report for technical details.

Detection Methods for CVE-2025-49876

Indicators of Compromise

  • HTTP requests to ProfileGrid endpoints containing SQL metacharacters such as ', --, UNION SELECT, or SLEEP(
  • Unexpected database errors logged by WordPress or MySQL referencing ProfileGrid queries
  • New or modified rows in wp_users or wp_usermeta tables originating from low-privilege accounts
  • Outbound data exfiltration patterns following authenticated requests to ProfileGrid pages

Detection Strategies

  • Inspect web server access logs for ProfileGrid request parameters containing SQL syntax
  • Enable MySQL general query logging temporarily to identify malformed queries from the plugin
  • Deploy a Web Application Firewall (WAF) ruleset that flags SQL injection patterns on WordPress AJAX and REST endpoints
  • Correlate authenticated low-privilege session activity with anomalous database read volume

Monitoring Recommendations

  • Monitor WordPress audit logs for repeated failed requests to admin-ajax.php actions registered by ProfileGrid
  • Alert on new administrator account creation following ProfileGrid request activity
  • Track plugin version inventory to identify hosts running ProfileGrid <= 5.9.5.2

How to Mitigate CVE-2025-49876

Immediate Actions Required

  • Update the ProfileGrid plugin to a version later than 5.9.5.2 as soon as a fixed release is available from Metagauss
  • Restrict registration and lower-privilege account creation on affected WordPress sites until patched
  • Audit existing user accounts and database contents for signs of unauthorized access
  • Rotate WordPress secret keys, administrator passwords, and any database credentials exposed through the site

Patch Information

Metagauss addresses the issue in a release following ProfileGrid 5.9.5.2. Refer to the Patchstack Vulnerability Report for the latest fixed version guidance and vendor advisory links.

Workarounds

  • Deactivate and remove the ProfileGrid plugin until an updated version is installed
  • Apply virtual patching through a WAF rule that blocks SQL metacharacters in ProfileGrid request parameters
  • Limit access to ProfileGrid endpoints using server-level IP allowlisting for administrative functions
bash
# Configuration example: temporary WAF rule blocking SQL syntax on ProfileGrid endpoints
SecRule REQUEST_URI "@contains profilegrid" \
  "id:1004988,phase:2,deny,status:403,\
   chain,msg:'Block potential SQL injection against ProfileGrid (CVE-2025-49876)'"
  SecRule ARGS "@rx (?i)(union(\s|/\*.*\*/)+select|sleep\s*\(|--\s|';)" \
    "t:none,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.