CVE-2026-12073 Overview
CVE-2026-12073 is a privilege escalation vulnerability in the ProfileGrid – User Profiles, Groups and Communities plugin for WordPress. The flaw affects all versions up to and including 5.9.9.5. The plugin fails to validate a user_login parameter on registration forms that omit it, and it mishandles the resulting error messages. Unauthenticated attackers can change the email address of the user account with ID=1, which is typically the site administrator. Attackers then trigger a password reset against the modified email address and take over the administrator account. The issue is categorized under CWE-639 — Authorization Bypass Through User-Controlled Key.
Critical Impact
Unauthenticated remote attackers can take over the WordPress administrator account, leading to full site compromise.
Affected Products
- ProfileGrid – User Profiles, Groups and Communities plugin for WordPress
- All versions up to and including 5.9.9.5
- WordPress sites with account ID=1 assigned to an administrator (default configuration)
Discovery Timeline
- 2026-06-30 - CVE-2026-12073 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-12073
Vulnerability Analysis
The ProfileGrid plugin exposes registration form handlers that accept user-supplied parameters without enforcing the presence of a user_login field. When the form omits user_login, the plugin logic does not reject the request and does not correctly surface error conditions. The handler continues to process attacker-supplied data, including an updated email address, and applies changes to an existing account rather than creating a new one. Attackers target the account with ID=1, which WordPress assigns to the first administrator created during installation. After overwriting the administrator's email address, the attacker requests a password reset through the standard WordPress workflow. The reset link is delivered to the attacker-controlled inbox, enabling authentication as the administrator.
Root Cause
The root cause is missing input validation combined with improper error handling in the registration flow. The plugin treats a missing user_login as a non-fatal condition and reuses the request context to modify an existing user record. This pattern maps to CWE-639 because authorization is tied to a user-controlled identifier without verifying that the requester owns the target account.
Attack Vector
The attack requires no authentication and no user interaction. An attacker submits a crafted POST request to the plugin's registration endpoint, omitting user_login and supplying an email address they control alongside a target user identifier resolving to ID=1. After the email swap, the attacker uses WordPress's wp-login.php?action=lostpassword flow to obtain a reset token and complete the account takeover.
No verified exploit code is published for this CVE. See the Wordfence Vulnerability Report and the WordPress Changeset Update for technical details.
Detection Methods for CVE-2026-12073
Indicators of Compromise
- Unexpected changes to the user_email field of the account with ID=1 in the wp_users table.
- Password reset emails delivered to unfamiliar addresses for the administrator account.
- POST requests to ProfileGrid registration endpoints that lack a user_login parameter.
- New administrator logins from unrecognized IP addresses shortly after a password reset event.
Detection Strategies
- Audit the wp_users table for recent modifications to administrator email addresses and correlate them with web server access logs.
- Inspect WordPress access logs for requests to ProfileGrid registration endpoints containing suspicious parameter combinations.
- Enable WordPress audit logging plugins to record user profile changes and password reset events.
Monitoring Recommendations
- Alert on any change to the email address of privileged accounts, especially ID=1.
- Monitor wp-login.php?action=lostpassword requests targeting administrator usernames from external sources.
- Track outbound password reset emails and flag deliveries to newly seen domains.
How to Mitigate CVE-2026-12073
Immediate Actions Required
- Update the ProfileGrid plugin to a version later than 5.9.9.5 as soon as the vendor publishes a fixed release.
- Verify that the administrator email address on account ID=1 is correct and reset the administrator password.
- Enable two-factor authentication on all WordPress administrator accounts to blunt password reset abuse.
- Review WordPress user roles and remove unnecessary administrator privileges.
Patch Information
The vendor has committed a fix in the plugin repository. Review the WordPress Changeset Update for the code-level correction and the Wordfence Vulnerability Report for the corresponding advisory. Site owners should upgrade to the patched release once available through the WordPress plugin directory.
Workarounds
- Deactivate the ProfileGrid plugin until a patched version is installed.
- Restrict access to ProfileGrid registration endpoints using a web application firewall rule that requires a valid user_login parameter.
- Reassign the primary administrator role to an account other than ID=1 and demote ID=1 to a lower-privilege role where feasible.
# Example WAF rule (ModSecurity) to block registrations missing user_login
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1026012073,\
msg:'Block ProfileGrid registration missing user_login'"
SecRule ARGS:action "@rx (?i)profilegrid.*register" "chain"
SecRule &ARGS:user_login "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

