Skip to main content
CVE Vulnerability Database

CVE-2025-6977: ProfileGrid WordPress Plugin XSS Flaw

CVE-2025-6977 is a reflected cross-site scripting vulnerability in the ProfileGrid WordPress plugin that allows unauthenticated attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6977 Overview

CVE-2025-6977 is a Reflected Cross-Site Scripting (XSS) vulnerability in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. The flaw affects all versions up to and including 5.9.5.4 and stems from insufficient input sanitization and output escaping in the pm_get_messenger_notification function. Unauthenticated attackers can inject arbitrary web scripts that execute in a victim's browser when the victim clicks a crafted link. Successful exploitation can lead to session compromise, credential theft, or unauthorized actions performed under the victim's authenticated session.

Critical Impact

Unauthenticated attackers can execute arbitrary JavaScript in the browser of any user tricked into clicking a malicious link, enabling session hijacking against logged-in administrators.

Affected Products

  • Metagauss ProfileGrid – User Profiles, Groups and Communities plugin for WordPress
  • All versions up to and including 5.9.5.4
  • WordPress sites with the ProfileGrid plugin activated

Discovery Timeline

  • 2025-07-16 - CVE-2025-6977 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6977

Vulnerability Analysis

CVE-2025-6977 is a Reflected Cross-Site Scripting (XSS) vulnerability classified under [CWE-79]. The issue resides in the pm_get_messenger_notification function within class-profile-magic-public.php. User-supplied input reaching this function is reflected back in the HTTP response without proper sanitization or output encoding.

Because the vulnerability is reflected and unauthenticated, an attacker only needs a target to visit a specifically crafted URL. When a logged-in WordPress user, particularly an administrator, follows the link, the attacker-controlled JavaScript executes under the origin of the vulnerable site. This grants the attacker the ability to read cookies, perform authenticated actions, or pivot to further site compromise.

Root Cause

The root cause is missing input sanitization and missing output escaping in the pm_get_messenger_notification handler. The affected code paths, referenced at lines 1322, 1329, and 1330 of class-profile-magic-public.php, incorporate request parameters directly into the rendered response. WordPress provides functions such as sanitize_text_field() and esc_html() that should have been applied to untrusted request data before use.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker crafts a URL containing a malicious payload targeting the vulnerable parameter processed by pm_get_messenger_notification. The attacker then distributes the link through phishing email, social media, forum posts, or malicious advertising. When a victim with an active WordPress session clicks the link, the reflected payload executes in their browser context, giving the attacker access to session tokens and the ability to perform authenticated requests. See the Wordfence Vulnerability Analysis for additional technical detail.

Detection Methods for CVE-2025-6977

Indicators of Compromise

  • HTTP requests to ProfileGrid endpoints containing <script>, javascript:, onerror=, or URL-encoded equivalents such as %3Cscript%3E in query parameters
  • Unexpected outbound requests from administrator browsers to attacker-controlled domains following a click on an external link
  • Web server access logs showing requests invoking pm_get_messenger_notification with unusual or encoded parameter values
  • New or modified administrator accounts, plugins, or themes created shortly after a suspicious link click

Detection Strategies

  • Deploy web application firewall (WAF) rules that inspect query strings and POST bodies for XSS patterns targeting ProfileGrid parameters
  • Monitor WordPress audit logs for administrative changes correlated with recent user link clicks or referrer anomalies
  • Correlate browser telemetry with web server logs to identify script execution originating from reflected parameters

Monitoring Recommendations

  • Enable verbose logging on the WordPress site and forward access logs to a centralized SIEM for pattern-based analysis
  • Alert on requests to ProfileGrid endpoints containing HTML control characters (<, >, ", ') or event handler keywords
  • Track referer headers pointing to unknown external domains that immediately precede administrative actions

How to Mitigate CVE-2025-6977

Immediate Actions Required

  • Update the ProfileGrid – User Profiles, Groups and Communities plugin to the version released in WordPress Changeset #3324676, which is any release after 5.9.5.4
  • Invalidate all active administrator sessions and force password rotation for privileged accounts
  • Review WordPress user, plugin, and theme inventories for unauthorized modifications made during the vulnerable window

Patch Information

Metagauss has addressed the vulnerability in a patched release tracked by WordPress Changeset #3324676. Site administrators should upgrade to the latest available version of the ProfileGrid plugin from the WordPress plugin repository. The fix introduces proper sanitization and output escaping in the pm_get_messenger_notification code paths at lines 1322, 1329, and 1330 of class-profile-magic-public.php.

Workarounds

  • Deactivate the ProfileGrid plugin until patching is complete if immediate updates are not feasible
  • Deploy WAF signatures that block XSS payloads targeting ProfileGrid request parameters
  • Implement a strict Content Security Policy (CSP) that disallows inline scripts and restricts script sources to trusted origins
  • Train administrators to avoid clicking untrusted links while authenticated to the WordPress admin console
bash
# Example WAF ModSecurity rule to block XSS patterns targeting ProfileGrid
SecRule REQUEST_URI "@contains profilegrid" \
    "chain,phase:2,deny,status:403,id:1006977,\
    msg:'Potential CVE-2025-6977 XSS attempt against ProfileGrid'"
    SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" \
        "t:none,t:urlDecodeUni,t:htmlEntityDecode"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.