CVE-2026-11359 MEDIUM

CVE-2026-11359: Memberships and User Profiles for WooCommerce <= 3.4 - Missing Authorization to Authenticated (Subscriber+) ProfileGrid Plugin Installation and Activation

Vendor Metagauss
Product Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration
Weakness CWE-862 · Missing authorization
Published July 9, 2026
Last update July 9, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the pg_install_profilegrid() AJAX handler registered via wp_ajax_pg_install_profilegrid. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the ProfileGrid plugin from wordpress.

Explanation of Vulnerability in Simple Terms

02Summary

ProfileGrid WooCommerce Integration versions 3.4 and earlier lack proper authorization checks, allowing authenticated users to modify data they should not have access to. A logged-in user with low privileges can alter information without proper permission validation. The vulnerability affects the plugin's core functionality and requires an active user account to exploit.

What an attacker can do

03Attacker Capabilities

Modify data or settings they should not have permission to change.

Potential impact on your site

04Site Impact

Authenticated users can alter site data or user profiles beyond their intended permissions.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

July 9, 2026 CVE published
July 9, 2026 Record updated

Related vulnerabilities

08Related CVE