CVE-2025-6977 Overview
CVE-2025-6977 is a Reflected Cross-Site Scripting (XSS) vulnerability in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. The flaw affects all versions up to and including 5.9.5.4 and stems from insufficient input sanitization and output escaping in the pm_get_messenger_notification function. Unauthenticated attackers can inject arbitrary web scripts that execute in a victim's browser when the victim clicks a crafted link. Successful exploitation can lead to session compromise, credential theft, or unauthorized actions performed under the victim's authenticated session.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in the browser of any user tricked into clicking a malicious link, enabling session hijacking against logged-in administrators.
Affected Products
- Metagauss ProfileGrid – User Profiles, Groups and Communities plugin for WordPress
- All versions up to and including 5.9.5.4
- WordPress sites with the ProfileGrid plugin activated
Discovery Timeline
- 2025-07-16 - CVE-2025-6977 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6977
Vulnerability Analysis
CVE-2025-6977 is a Reflected Cross-Site Scripting (XSS) vulnerability classified under [CWE-79]. The issue resides in the pm_get_messenger_notification function within class-profile-magic-public.php. User-supplied input reaching this function is reflected back in the HTTP response without proper sanitization or output encoding.
Because the vulnerability is reflected and unauthenticated, an attacker only needs a target to visit a specifically crafted URL. When a logged-in WordPress user, particularly an administrator, follows the link, the attacker-controlled JavaScript executes under the origin of the vulnerable site. This grants the attacker the ability to read cookies, perform authenticated actions, or pivot to further site compromise.
Root Cause
The root cause is missing input sanitization and missing output escaping in the pm_get_messenger_notification handler. The affected code paths, referenced at lines 1322, 1329, and 1330 of class-profile-magic-public.php, incorporate request parameters directly into the rendered response. WordPress provides functions such as sanitize_text_field() and esc_html() that should have been applied to untrusted request data before use.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a URL containing a malicious payload targeting the vulnerable parameter processed by pm_get_messenger_notification. The attacker then distributes the link through phishing email, social media, forum posts, or malicious advertising. When a victim with an active WordPress session clicks the link, the reflected payload executes in their browser context, giving the attacker access to session tokens and the ability to perform authenticated requests. See the Wordfence Vulnerability Analysis for additional technical detail.
Detection Methods for CVE-2025-6977
Indicators of Compromise
- HTTP requests to ProfileGrid endpoints containing <script>, javascript:, onerror=, or URL-encoded equivalents such as %3Cscript%3E in query parameters
- Unexpected outbound requests from administrator browsers to attacker-controlled domains following a click on an external link
- Web server access logs showing requests invoking pm_get_messenger_notification with unusual or encoded parameter values
- New or modified administrator accounts, plugins, or themes created shortly after a suspicious link click
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect query strings and POST bodies for XSS patterns targeting ProfileGrid parameters
- Monitor WordPress audit logs for administrative changes correlated with recent user link clicks or referrer anomalies
- Correlate browser telemetry with web server logs to identify script execution originating from reflected parameters
Monitoring Recommendations
- Enable verbose logging on the WordPress site and forward access logs to a centralized SIEM for pattern-based analysis
- Alert on requests to ProfileGrid endpoints containing HTML control characters (<, >, ", ') or event handler keywords
- Track referer headers pointing to unknown external domains that immediately precede administrative actions
How to Mitigate CVE-2025-6977
Immediate Actions Required
- Update the ProfileGrid – User Profiles, Groups and Communities plugin to the version released in WordPress Changeset #3324676, which is any release after 5.9.5.4
- Invalidate all active administrator sessions and force password rotation for privileged accounts
- Review WordPress user, plugin, and theme inventories for unauthorized modifications made during the vulnerable window
Patch Information
Metagauss has addressed the vulnerability in a patched release tracked by WordPress Changeset #3324676. Site administrators should upgrade to the latest available version of the ProfileGrid plugin from the WordPress plugin repository. The fix introduces proper sanitization and output escaping in the pm_get_messenger_notification code paths at lines 1322, 1329, and 1330 of class-profile-magic-public.php.
Workarounds
- Deactivate the ProfileGrid plugin until patching is complete if immediate updates are not feasible
- Deploy WAF signatures that block XSS payloads targeting ProfileGrid request parameters
- Implement a strict Content Security Policy (CSP) that disallows inline scripts and restricts script sources to trusted origins
- Train administrators to avoid clicking untrusted links while authenticated to the WordPress admin console
# Example WAF ModSecurity rule to block XSS patterns targeting ProfileGrid
SecRule REQUEST_URI "@contains profilegrid" \
"chain,phase:2,deny,status:403,id:1006977,\
msg:'Potential CVE-2025-6977 XSS attempt against ProfileGrid'"
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

